So Much to Secure, So Little Time!

Everybody wants more applications, but somebody has to be responsible for assessing the cyberthreat to their growing application portfolio and ensuring an appropriate risk-management structure.

That was the topic that practitioners, consultants, and influencers eagerly turned to when #IDGTECHtalk focused on how to evaluate and improve your organization’s security posture in a Twitter chat Feb. 25, moderated by @nyike (Isaac Sacolick) and sponsored by @GlobalNTT.

Do organizations have programs in place to manage risk across their applications portfolios? Definitely, according to Techtalkers. Are these programs operating at optimal performance? Maybe.

Businesses are rapidly revising existing programs to manage risk across application portfolio. 2 main reasons. #multicloud apps and #wfh access behavior. Both need unified visibility with changing #security risk profiles & many more app attack vectors  Adam Stein@apstein2

Still, nobody can afford to be complacent:

The challenge is though that there are so many applications, of which they all need to be secured. Attackers have the advantage that they need but one insecure application to gain entry. Ben Rothke@benrothke

Automation may not be the total answer, but as part of a solution is essential.

Tracking all [vulnerabilities] and trying to keep up is no longer a human-scale process. Too much to track, too much to fix. Automating can call out the most risk-worthy things that need fixing ASAP.  Nick Gonzalez@nickg1421

Automation can really move the needle, not just by uncovering vulnerabilities but also by getting the right findings into the hands of the right developers as fast as possible. WhiteHat Security@whitehatsec

Is there confidence that security and dev teams are fully trained on appsec and are sufficient resources committed?

First “hahahaha.” Second, most hiring needs never address this because you’d never be able to hire anybody. I’ve called for “secure coding” riders in our contracts, but realize that socializing secure coding skills is often on the org & not the individuals. Amélie E. Koran@webjedi

Sufficient whaaaaaaaat? 😇 Training is anybody’s guess, but comments like “that piece of code hasn’t been touched since the ’90s, and probably nobody still with the company really knows it” implies a strong no… Chris@CPetersen_CS

Security, though, can’t be ensured by any one team or person, it’s got to encompass the entire organization.

#cybersecurity is most effective when everyone understands that they are part of a larger whole, which requires organizational change management and training to drive adoption. Kayne McGladrey@kaynemcgladrey

*Make it a culture! _____Perhaps, include it in the recruitment policy. _____Train employee on safe practices. Since it only takes a slight slip to get exposed. Benjamin A. Martins@Benni_aji

Finally, some advice on what to do if a breach is suspected.

Stay calm. Access the damage and BE TRANSPARENT. If you are honest and transparent with your customers and with the rest of us, you’ll at least save some face. If you lie, and try and covered it up, you’re going to look like a real jerk (PG-13) Nick Gonzalez@nickg1421

Or, the moderator noted, you could just:

Break glass for (Brand | BC | DR | Infosec | …. ) plan Isaac Sacolick@nyike

There’s much more advice and insights to peruse @idgtechtalk. In the meantime, check out how NTT can help ease the security burden.