As ransomware and major vulnerabilities run rampant, security has remained a high priority for organizations even during the recent downturn. Looking at the data, global businesses ranked cyber incidents as their top risk in 2022 as a record breaking number of global cyber attacks hit last year, including numerous high profile incidents like the Log4j vulnerability. Now, Boards are scared of what a high-profile attack could do to their bottom line, so budgets continue to expand for needed security precautions and thoughtful security programs.
Frequent cyber attacks coupled with the security industry’s last few years of growing pains - the transition to working from home (outside the established safety of the corporate office), the rising complexity of distributed teams, and the growing infrastructure stack - has put mounting pressure on security organizations.
However, all that weight shouldn’t rest solely on the security teams’ shoulders. In fact nowadays, the most challenging part of security isn’t convincing people they need security, but providing actionable guidance on how to be secure. To do that, everyone in an organization, not only the security team, needs context and data about how to make the right decisions. Security teams can help provide that.
You Can’t Do Security Alone
The concept of the weakest link isn’t new in security. In weak link systems, like soccer, if you want to build a great team, what matters is the strength of your worst player. It’s not enough to have one or two superstars because everybody’s actions have an impact on the final score.
Therefore, it's important for security organizations to communicate and rely on all of its stakeholders. This is how you instill a better security culture across the company and also provide clarity upwards for executives and governance boards on how the security program is performing.
Unfortunately, the tools that we have to do this today are so high level that they’re ultimately ineffective outside of security teams (e.g. risk registers). However, we’re starting to see the communication of security transform. For example, infrastructure and operations teams get the visibility of cloud environments and triaging of vulnerabilities with cloud security posture management (CSPM) tools like CloudQuery and Wiz. Cybersecurity leadership, company executives, and boards get metrics on the business outcome of their security program with cybersecurity performance management solutions like SeeMetrics. Developers get continuous quality and security issues in their development flow after each pull request with solutions like r2c and Snyk. Your wider employee base can get timely advice about patching and locking down their user accounts from security awareness companies like Elevate Security and open source tools like Stethoscope.
Seeing Is Believing
To align an organization on a common security mission, it’s critical to show stakeholders the real, continuous data relevant to them. This can be thought of as “security dashboards for everybody else” - aka up-to-date metrics or guidance that product and business teams can use to measure and track their security posture and drive decision making.
But doing this right is tricky given how faulty and overly complex metrics can immediately lose stakeholder trust. Here are some ideas on how to redefine security dashboards to be most effective:
- Reduce clutter: If there’s a massive volume of issues that you're expected to remediate and every vulnerability is considered high severity, then people will get information paralysis. Vulnerability alerts need to prioritize what is actually accessible and high risk to the organization. Security teams may care about the overall security posture from all of these vulnerabilities, but only push down what matters to the business team. You would much rather say “here's something you must do today” and keep the ugly numbers behind the curtains.
- Provide easy to complete remediations: If the fix is overly complicated, then chances are it won’t be done or will take time to complete. Remediations that can eliminate multiple vulnerabilities with one update have a much higher impact. For example, you may have a long list of vulnerabilities, but sometimes the easiest and most effective remediation is pulling from a recent image or running a Docker update instead of patching each vulnerability individually.
- Make integration easy: Each role within an organization has its own set of tools. Developers may be living in their IDE, terminal, or code repository while information workers may operate predominantly in email, Microsoft Office suite, and CRM. Providing an in-flow security experience will need easy integrations with that group’s tool chain
- Visualize outcomes: What's your mean time to patch? Are you using CI/CD? These are helpful barometers. Giving asset owners security dashboards based off of their security state can help them understand scenarios. For example, it’s easy to say just update Linux, but updating Linux from one version to another can be a 6 month process with incompatibilities. In these cases, it might be better to just do an intermediary patch and product teams should be able to model this.
Security doesn’t need to be invisible. In fact, it should be front and center. Accountability and understanding individual actions on security debt goes a long way. Going forward, I can even see this translating into premium features provided by the infrastructure, developer, analytics, and productivity tools themselves. This could give way to the next generation security company with baked in vs. bolt on features for easier adoption.
In this age of growing cybersecurity risk, security hygiene is a growing realization for decision makers across startups and enterprises of all sizes. As the responsibility trickles down from CISOs and security teams to individuals across the entire organization, everyone needs to play a part. Until security dashboards for all become widespread in the enterprise, remember, we’re all in this together!
If you’re a startup building a security solution for the enterprise or a security practitioner in the enterprise looking to chat through these topics, please reach out!