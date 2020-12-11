As the texts, chat messages, emails, and now an actual live phone call comes in… you realize that the dreadful moment you have had those nightmares of when you wake-up in a cold sweat, has just become a reality. Your organization has just experienced a breach. But, how?

With all of these security tools you have invested in, how is this possible? The controls are working, right? EVERYTHING is protected… isn’t it? Even those pen testers you hired, couldn’t get in. You’re at a complete loss.

Wake up! And let’s cut to reality. You will never be able to guarantee any organization, no matter how good you think your security is, that they will not experience a breach. So as you reimagine the ways to make your organization more cyber resilient, you need to consider how you adjust the approach you take in order to better PROTECT your business.

Let’s first take into consideration just a few of the things that you need to deal with. Don’t worry, there really can’t be too much to have to think about, right? I mean, has much really changed over the past several years, never mind the impact of 2020? Well, think again my friend. I assume you are not in a business that is either thinking or in the process of going through “Digital Transformation”, right? Wait! You mean your organization is doing this?! Shocking!

So guess what… it’s time to put on your big boy pants and get ready to deal with things like, Data Explosion, the Application Threat Vector, Virtual Perimeters, and I’ll just stop right there before you get too scared to keep reading this. No worries, we can actually protect our businesses with an approach that will help withstand attacks and as Curtis Mayfield sang, or the modernized version by Travie McCoy, “…you gotta keep on keeping on, even with the feeling that you’re gonna keep losing, Oh! you gotta come back stronger ” and ensure the business “keeps on keeping on”!

Ok, now let’s go ahead and start breaking down some of these things.

- - - Data Explosion: Organizations continue having difficulty understanding what data is business-relevant, as well as regulated, never mind where it exists, properly classifying it and, most importantly, ensuring it is protected. - - -

When it comes to the sheer volume of data, your head starts spinning. What to do? Well, first you need to get a handle on what data is business-relevant, as well as regulated, for example privacy requirements, and identify where it exists. Now you can classify it to align with your business use and most importantly protect the data to the point where it retains its value for your business use, but when/if it gets into the wrong hands… you know, the “bad guys”, it’s of no value. They can take it to the dark web and attempt to sell it, but will soon realize that the data has been de-monetized. Sorry, bud, nice work getting in and exfiltrating the data, but in the end, you get zip, zero, zilch!

- - - Application Threat Vector: With digital transformation initiatives accelerating, applications are growing exponentially and serving as the main vector attackers are leveraging to gain access to the data. - - -

And now onto our good friend the app… which one you might ask? All of them! They serve as the new way in to the business. Rife with vulnerabilities waiting to be exploited. An attackers “easy button”. You get the point! So as we are all going through “Digital Transformation” efforts, applications are front and center, and new apps are being released faster than you can say “you thought your code was safe… you were wrong”. How can you better secure the apps? Well, you need to embed security in. Security must be part of the development lifecycle and done so in a way that the developers don’t think twice about it. It’s just part of their tool set, baked in, seamless to the way they code. Oh, and please, just don’t slow them down. That’s the whole reason why developers haven’t been as, let’s say “embracing” to application security in the past. With DevOps here, there’s no looking back trying to figure out how to plug security in at the end of test cycle just before release. Get with it! Application security IS part of DevOps, stop trying to plug it in somewhere after the fact.

- - - Virtual Perimeter: As "work-from-anywhere" has become the new norm, how can we ensure the validity of identities and protect our business. While also enabling our customers and employees with a seamless experience. - - -

Ah, and now we get to the “new norm”… Work-from-anywhere! I’ll admit that if there’s one thing positive to take away from the current issues we are all dealing with globally, for me, it’s the work from anywhere flexibility. I can be where I want to be and have a positive mindset to get my work done and be more productive. (Disclaimer: I know my boss will be reading this, so I had to make sure to add that “more productive” line in there). Now back to our friend, the Identity. Which identity, you might ask? All of them, including things such as IoT devices, APIs, you name it. If it has a need to access an application, system, and data, then it has a need to be verified and authorized. And if you know me, I don’t trust anyone. Get the play there on “Zero Trust”. So, the point here is to ensure we are providing our employees, customers, business partners and so on, with the best user experience while ensuring we are properly protecting our business from intruders.

All of this helps drive a protection model that is designed with a resilient business operations in mind. We need to realize that we cannot stop all attacks and protect everything. Modernization of business is paramount to staying relevant and competitive. Doing so while ensuring resilience is built-in is of even greater importance. So think about what it is you can do to drive the desired business outcomes for your organization. Here are a few examples to consider:

Cost Avoidance & Reduction: Embedding security into the application develop lifecycle greatly reduces costs associated to a data breach as well as the cost to remediate the software driving revenue for the business.

Embedding security into the application develop lifecycle greatly reduces costs associated to a data breach as well as the cost to remediate the software driving revenue for the business. Increased Consumer Confidence: Enabling a secure and seamless customer experience while also ensuring their data is protected supports customer loyalty and adoption.

Enabling a secure and seamless customer experience while also ensuring their data is protected supports customer loyalty and adoption. Reduced Enterprise Risk: By understanding what is critical and sensitive data to your enterprise, and properly protecting that data greatly enhances your risk posture.

Ok, so now you’re asking yourself… Hmm, I wonder if there’s anyone out there that can help we with this approach. Well, I may just know someone.

And don’t forget “…you gotta keep on keeping on, even with the feeling that you’re gonna keep losing, Oh! you gotta come back stronger ” and ensure the business “keeps on keeping on”!