[How to Herd Cats]
Cyber security, hacks, breaches and attacks … oh my! Every day in the news there is some headline regarding a company, famous individual or government being compromised by an attack from cyberspace.
What is Cyberspace?
According to The Oxford English Dictionary, cyberspace is “The notional environment in which communication over computer networks occurs.” What is the difference between reality and cyberspace? I contend that there is no difference, and as our world grows increasingly connected via cyberspace from our computers, phones, cars and fitness equipment (wearables), the line between the world of physical reality to digital reality is more and more blurred and will probably disappear at an astonishing pace.
At proServices, we provide independent software/cyber security services, so we have the privilege of working with customers whose products operate within the cyberspace domain. The notion of protecting their systems from being “hacked” and maintaining a balance between remaining competitive, protecting their brand and protecting their customers is still a work in progress.
What is Cyber Security?
According to TechTarget, “Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.” Cyber security not only requires a holistic approach from the depths of your data to the fringes of your network, but it also requires a shift in culture. This is especially true when it comes to addressing the application layer within your framework of assets that require protection.
Build a Secure Culture
Culture eats strategy for lunch! I’ve had the fortunate experience in my life of touring a Japanese automobile assembly plant. There were signs everywhere – from the assembly line, to the break room to the restrooms, reminding everyone of how to build a quality vehicle. They even supplied their workers with covers and tape for their jewelry to ensure that they did not cause scratches to the cars. The company’s culture is all about a supreme focus on the quality of the end product.
Considering the constant threat our connected world is under, including the products we produce, the best of our clients have recognized a need to change the culture within their software organization to focus more proactively on security. In many companies, software organizations have a lot of freedom to implement security best practices – when it’s convenient and not impeding time-to-market drivers. It has been a paradigm of “herding cats” instead of soldiers marching.
Leadership is the Main Ingredient
Leadership is the hardest component to get into place for a change in culture. It requires a company and to truly be authentic in making software security a priority and a part of its core values. Without this commitment, there will be compromise, which breeds complacency and leads our strengths to become our weakness. Too often after identifying security vulnerabilities in our customer’s software do we find out that it was the result of an executive decision that introduced this risk inside the software. Therefore, leadership must be unwavering.
The Best of Approaches
One of the best approaches to changing culture is when our clients proactively address the following components: People, Process, Technology, Data Management, Standards and Transparency. They view each of these components as essential to building a secure culture. I have provided some examples of best practices we have seen within some of these components below.
People – Don’t talk the talk, but walk the walk!
One of our clients provides reoccurring security training to their software engineers. It’s viewed as a necessary and continual investment. Cyber threats and attacks change every nanosecond, and they felt it was necessary to make sure their employees were updated on the latest programming techniques to reduce their software attack surface. Training also reemphasizes to their employees that security is a core value, one requiring constant investment; it also sent a message that pleading ignorance is not an excuse.
An important part of building a secure culture with their employees was through gamification. The executives recognized that they had to provide incentives to promote openness and emphasize the importance of security. They achieved a shift in mentality within their software ranks from one of hiding embarrassing defects to one that promoted discussing vulnerabilities as an opportunity to share lessons learned.
Data Management – It’s not the tools!
One customer started by first asking questions about what security risks were important to the organization to proactively identify, manage and mitigate. This led to understanding what training and processes need to be in place to ensure objectives could be met. They identified several security standards and cherry picked the best from each, tailored to their product space. Then they researched a suite of tools that could produce reliable data to feed into their process, ultimately answering these questions. The default in our industry is a company working from the bottom up and starting with the tools first, which too often results in too many opportunities for systems to be compromised.
The above are only two brief examples of many. No silver bullet exists for software security; however, building a secure culture provides the needed ammunition to fight back, secure your software, protect your brand and your customers, and, most importantly, build something inside your company that is bigger than any individual and will be there long after you’re gone.
PSC Vice President