COMMENT
I’ve had the pleasure of speaking with hundreds of security teams, and the biggest mistake I’ve seen is that they often confuse tool purchasing with program management, meaning they often think about the tool driving the program, rather than the tool is a part of the program. Instead of focusing on the tool, security teams should focus on what a security program means to them and what they are trying to accomplish. Below, I share insights that can improve your cybersecurity strategy.
The misconceptions and limitations of cybersecurity tools
Not planning a complete program can lead to failure. Being able to detect something, but not doing anything about it, is not helpful. Too often, security teams mistakenly believe that a security tool is a complete security program. But can we blame them?
Cybersecurity tools are packaged to be attractive: elegant dashboards, integrations, APIs, multilingual support, the promise of finding everything. These features give the illusion of a safe bet for security. Security teams buy these tools expecting, then hoping, then pleading, that their gamble will pay off.
Known bug violation
Organizations typically take weeks or months to patch a software vulnerability. Even more surprising, in a third of security violations, the pending security fix was known before it was exploited. Why? This often results from security tickets becoming de-prioritized due to a failure to conduct a meaningful vulnerability management program and gain stakeholder buy-in.
Best practices for creating effective cybersecurity programs
The National Institute of Standards and Technology (NIST) defines a security program “how to maintain continuous awareness of information security, vulnerabilities and threats to support organizational risk management decisions.” A safety program answers: why, what to do, when, how and who. Simplify these responses by turning them into policies and instructions that everyone can follow.
“In my organization,” a former chief information security officer (CISO) told me, “we didn’t give the green light to purchase any tool until a repair plan for the tool was established.” This former CISO understands that managing security well means managing your security program, which, in turn, means managing, maintaining, and building a security culture. To be effective, you must embed your security program into every level of the company.
My advice: Before purchasing a tool like SAST, lay the foundation for a security program.
There are so many threat models and definitions out there that it can be overwhelming. Instead, keep it simple to get started. Use this proven formula:
program = tool + people + processes + objectives
If you do this, you will avoid the misconception that a tool is a program. These best practices strengthen cybersecurity programs that are more effective, resilient, adaptable, and capable of fixing bugs.
In the following two sections, I want to highlight two important and often overlooked parts of this equation that may be misunderstood.
Stakeholder involvement in safety programs
Stakeholder involvement is critical to a safety program. The vast majority of a security team’s success is based on the relationships and consensus it achieves with key stakeholders, such as engineering teams. Forgetting stakeholder involvement and commitment will cause the vast majority of purchases to fail.
Stakeholder involvement ensures that everyone understands the importance of cybersecurity and eliminates ambiguity. The safety program helps each individual understand their role in safety and the importance of fulfilling that role. In the case of implementing a SAST tool, not having buy-in from your engineering team means you will accumulate a vulnerability count because you can’t act on it.
Vulnerability management
Vulnerability management is a critical component of an effective security program and generally applicable to most security tools. We have found that only larger companies hire a dedicated vulnerability manager, and often most organizations do not have someone managing and managing these vulnerabilities.
Vulnerability management involves identifying, assessing, prioritizing, and then addressing vulnerabilities in the system. This is an ongoing process that requires regular monitoring and updating.
For example, when patching code vulnerabilities from a SAST tool, essential to vulnerability management is remediation and subsequently prevention. There is a lot of information about proactive efforts. The big addition I can add here is the use of cutting-edge tools to achieve rapid maturation of the vulnerability management program, i.e. automatic remediation. Recent developments in artificial intelligence have enabled teams to behave like their counterparts. For example, product managers can now perform data science tasks. Additionally, AI allows teams to automatically patch vulnerable source code. Security teams can’t scale up their efforts alone. They must invest in actions and systems that help them advance programs.
Conclusion
Cybersecurity tools are no substitute for a robust security program. Nobody buys construction tools and starts building willy-nilly. Without a plan, they would end up with a chaotic assemblage of screwed screws, hammered nails, and sawn boards. This is not productivity. It’s challenging work. Unfortunately, a tool without a solid plan behind it can go the same way. A security program ensures that security tools are effective and provide value to your organization and ultimately increase the security of your organization.