You Cannot Escape Cybersecurity
Christine is the chief technology officer at WithSecure.
getty
Pericles supposedly said, “Just because you do not take an interest in politics doesn't mean politics won't take an interest in you.” This may be even more true of cybersecurity.
If you’re part of an organization that has any sort of digital presence, you can't escape the responsibility of securing your systems, devices and data. And if motivated criminals who often operate using cyber weapons first developed by nation-states don’t force you to care, regulators will.
Regulations Can Be A Crisis Or An Opportunity
Eventually, every country will adopt some form of data regulation to protect the public. They have no other choice given the responsibility to protect the public from cyber threats. Even if the country where your business resides isn’t currently under a data protection regime, it’s likely some nation where you want to do business is.
If your business waits until regulations force compliance, you will be under extreme pressure to deliver a ton of work just to be compliant. Anyone who went through the GDPR nightmare that many organizations experienced during their journey of becoming compliant can tell you that as the deadline approaches, no one is having fun.
On the other hand, if you're consistently and iteratively already working toward improving your cybersecurity posture, every little thing you do can help with compliance later. The positive steps you take will build on top of each other so that when regulations come into effect, you and your staff won’t be under extreme stress.
Let’s look at what all companies can do to bake cybersecurity into their operations. We’ll begin with those of us who rely on software to thrive, which is everyone doing business in the 21st century.
You’re Only As Safe As Your Suppliers
Many companies don't realize just how intertwined we are with our suppliers nowadays. Most of the software and data we rely upon today are no longer on our devices; they are in someone else's server, data center or cloud. And as we shift even more into the software-as-a-service (SaaS) model, our endpoint devices become more of a terminal to access our data, which resides in a location we have no control over.
And as supply-chain attacks grow increasingly common, they’re a constant reminder that you’re only as safe as your suppliers.
This means that you need to be discriminating when selecting suppliers. This can start with asking them to answer cybersecurity questionnaires or requiring them to be audited by a third-party expert. Depending on your budget, the sensitivity of the data and the potential effect of a breach on your customers, this process can be quick or quite lengthy. It’s always worth the time.
Understand The Impact Of A Cyberattack On Your Organization
Here are some questions you need to know the answers to: How can a cyberattack affect your organization’s goals? How does it impact the outcomes your organization desires? Organizations have very clear outcomes that they aim to achieve monthly, quarterly or annually, but can a cyberattack change them? What are the risks that are introduced by a cyberattack? And what are the assets that are at risk?
If your organization does not understand the impact of a cyberattack, you may think that ticking some boxes when it comes to cybersecurity is enough to keep your organization secure. But you may be in for a surprise when a cyber-criminal discovers a crown jewel in your organization that is critical to your business outcomes and your organization has forgotten about it.
Establish A Cybersecurity Training Process
If you can bake cybersecurity as early as possible into every process, then you are halfway toward achieving an organization that’s secure by design. Cybersecurity trainings should not be a one-time thing. For cybersecurity to be baked into your employees’ mindset, the security awareness trainings need to be integrated into everyday working life.
For businesses that build software, cybersecurity is even more inescapable. Here are the extra steps companies can take to ensure cybersecurity is an asset for your company and not a liability.
Identify The Potential Misuse Of Your Product
Most companies include their customers’ needs in their development roadmap. But we rarely do the opposite and identify the ways our software can be misused. When we identify potential abuses, we take the first step toward eliminating or mitigating them. Threat modeling can be a valuable tool in pointing out areas of misuse even from the early stages of design.
Bake Cybersecurity In
The buzzword is “shift left,” but prioritizing cybersecurity as early as possible in a product’s life cycle will eventually save you time and money. When developers are still adding code into their continuous integration/ continuous deployment (CI/CD) platforms, analysis of the issues introduced by the code and the third-party libraries utilized can help identify problems before they’re baked in. Dynamic checks of issues that may be found in the final piece of software will weed out remaining issues. And when problems are discovered, having a DevSecOps team that owns cybersecurity is key. They should oversee not only creating and maintaining code but also fixing any cyber security issues.
Maintain A Channel For Security Updates Throughout The Lifetime Of The Product
Even if your organization is designed for cybersecurity, you can’t prepare for every potential issue in your product. Attackers are creative. That’s why it’s essential to have a channel for software security updates as security issues arise. If possible, you should perform security updates even beyond the lifespan defined by the manufacturer and for as long as there's a substantial volume of users. Otherwise, your unpatched flaws will just cause issues for the rest of us.
Of course, you can ignore all these precautions and hope for the best. But at some point, either a cyberattack or a regulator will make sure you care.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Gloss