This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.
An observer watching a bunker shot by legendary pro golfer Gary Player was heard to say: "I've never seen anyone so lucky in my life." The player retorted: "Yes, and the more I practice, the luckier I get." Yet when it comes to cybersecurity, nearly half of organisations are solely relying on luck to get them through a cyberattack.
There is not enough practice or training in terms of incident response, and testing happens haphazardly depending on the developer and organisation-obfuscating baselines and the context necessary to ensure security and resilience. Particularly in terms of testing, we've noticed that despite awareness of its importance, bugs and vulnerabilities routinely slip through. In fact, a recent Ixia survey found that 34 percent of developers have deployed products that have had a few bugs. Worse, 31 percent said products harbored significant vulnerabilities that required patching later in the cycle when shipped.
The problem has been exacerbated by the rapidly growing normalisation of agile development processes. Groups of developers are tasked to build products piece-meal, leading to application development that is often incremental and happens in iterative cadences. Testing and oversight happen at each step of the process, but the segmented nature of the development cycle means that bugs and vulnerabilities often arise when the code is assembled, and are routinely missed. It's clear that more than a local test-a comprehensive end-to-end test- and relevant training are critical.
A Change in Culture
Improvement begins by changing the culture that minimises security testing for the sake of launch timelines. Too often, the product development team will come together just to be told they need to move up their release date. The habit results in products that walk a thin line of performance, as they may contain unknown security holes due to not being fully tested. It's a major reason for security incidents, even with multiple layers of security tools.
This also requires the right training. Having seemingly secure code and the right security measures is not enough for a strong security stance if proper training is not implemented. Organisations need to learn how to respond. Yet recent SANS Institute research into the incident response capabilities of companies worldwide found that 43 percent of respondents did not have a formalised incident response plan, and 55 percent didn't even have an incident response team.
This less than vigilant approach to system level security can have worse implications once a product goes live in the network. For instance, updates, patches and configuration changes applied when a new feature is added can reset an organisation's security posture, and this sometimes goes unnoticed-leaving gaps for threat actors to exploit. Continuous testing and training from the very onset of operation and throughout a tools lifespan are imperative for all employees, especially IT and security pros-even in its simplest iterations.
Sign up for CIO Asia eNewsletters.