How to Balance Security with Digital Transformation

28.May.2018
Outpost24
A recent study shows that IT security pros are struggling to keep up with the technologies that drive digital transformation. New technologies in connectivity and virtual infrastructure are helping companies to innovate supply chains and digitalize customer experiences. The new opportunities offered, however, come with a set of new security challenges in the form of an expanded attack surface. This is a double-edged sword, increasingly becoming a boardroom issue – how do companies keep up with the pace of innovation (and competition) while protecting their critical assets from security breaches?

Full stack technology needs full-stack security

In the race to digital transformation, more and more organizations are turning to new technologies and serverless architecture to accelerate productivity. This, in turn, expands the technology stack from traditional data centers to virtualized infrastructure, containerized and open source software, and a new range of connected devices dubbed “the Internet of Things” (IoT). But the proliferation comes at a cost - the virtual playground of new technologies is providing hackers with a myriad of opportunities to disrupt business and gain unauthorized access.

 

RSA survey chart

According to our latest survey of IT security professionals at the RSA Conference, 25% of organizations said they are most concerned about the security of their cloud infrastructure and applications, 23% are most concerned about their IoT devices, 20% about their mobile devices, while 15% are worried about their web applications, and 13% about their data assets, databases and file shares. IT security pros are less concern about their owned infrastructure and data centers, with only 5% saying they were least secure.

Their concerns are well-founded. As critical assets and data are becoming more distributed, their attack surface is expanding. Hackers now have more ways to gain access, build footholds and move laterally within an organization’s system. It’s no longer enough for security teams to seek out and mitigate vulnerabilities in the infrastructure independently from applications, cloud network, and other connecting technologies.  To protect your organization, gaining complete visibility of cyber security exposure across your technology stack and understanding the correlated risks will become a pre-requisite.

 

Security teams are held back by lack of resources and skills

With added responsibilities to safeguard an ever-expanding technology stack, IT security pros are finding a new definition of the perimeter and expected to keep current with the latest cloud infrastructure and data being stored everywhere. But more often than not, organizations are not preparing their security teams with the skills and resource required to cope with the new pressure.

In our RSA report, over 40% of the IT security pros surveyed admit to ignoring critical security issues when they don’t know how to fix them (16%) or don’t have the time to address them (26%).

An interesting example is the rise of agile software development and accelerated pace of “agility” to release application software continuously. IT security pros struggle to keep up with the pace, while at the same time being asked to “shift left” in the DevOps process and introduce security practices earlier in the Software Development Life Cycle (SDLC).  An earlier focus on security is expected to yield results in reducing the attack surface and associated business risk.

To make things worse, the cybersecurity skills shortage is well documented and remained one of the most significant problems for CISOs. IT security pros are firefighting with increasing amount of security incidents and less time for training, process improvement, and security strategy. No wonder only 17% of organizations surveyed in our report take the time to prioritize remediation based on business need.

 

 

 

 

How to keep up with digital transformation

Security often gets lost in the buzz (and speed) of digital transformation. As more high-profile data breaches are coming to light, so is new regulation with huge ramifications and penalties. Organizations must start consolidating their security technologies, automating the cyber security assessment process and upskilling their staff to ensure long-term success.

 

Understand the weak points in your stack

Security testing is the first step in establishing a baseline view of your cyber security exposure. It is essential to test your networks, cloud infrastructures, related applications data stores, and user access proactively. Penetration testing can be an excellent way to get a holistic overview of the cybersecurity exposure across part or all of an organization’s assets as well as expose threats within systems that may have gone unnoticed. Our study found that organizations use penetration testers, 46 percent had uncovered critical issues that could have put their business at risk.

Automate and orchestrate your security process

Once a baseline is established, use automated assessments and notifications to complement manual penetration testing to reach a goal of continuously monitoring. Hackers use automation techniques as well to increase the pace of their attacks, so security automation is an essential element to keep up. In an age when cybercrime is rife, merely patching and hardening their systems once or twice a year leaves a big window for attack. Many attacks leverage known vulnerabilities that could have been prevented with simple patching.  As the attack surface widens security leaders should orchestrate remediation efforts based on risk levels to prioritize workload and maximize efficiency.

Avoid security testing fails by taking the next step

Sadly, security testing often ends with a report being delivered, but without reaping the full benefits. Remediation action should be considered as close to the time of assessment as possible. Penetration tests are sometimes done out of habit or to show compliance, while the benefits of distributing actions and shrinking the attack surface go unfulfilled.

To maximize the value of penetration testing investment, changing the way you work with the penetration testers and the setup of projects can make a tremendous difference. We’ve seen great success by providing our clients with extended access to our security experts after the pen test. This allows organizations more time for security advice and verification of patching and remediation efforts. These are extremely useful to guide organizations with less security-savvy through the process.

It is critical that organizations take time to understand the potential risk of cyber security exposure found in their environment and address the findings from both a business and technical perspective. By engaging the penetration testers post-test, senior management will also have a better understanding of the risks and be able to make better decisions on the strategy for remediation; and security team will get a better idea of the different solutions available to address the security issues.

 

Security testing is one of the keys to uncover your risk exposure. If you want to know more about our survey, download the full report. If you're going to perform a penetration test on your technology stack, our expert's team is available to help you discover your weaknesses and reduce your risk exposure.

Looking for anything in particular?

Type your search word here