Virtually every speaker and vendor at last week’s RSA Conference stressed the obvious: It’s dangerous out there, and it’s only going to get worse over time. While no organization can escape every threat, though, there are proactive steps they can take to mitigate those risks.
Results from a new Deloitte survey, unveiled at the conference, stressed the need to better integrate security into every facet of the organization. According to the survey, less than 20 percent of organizations have security liaisons embedded in their business units.
“Historically, the skillset cyber practitioners have doesn’t always lend itself to collaboration, and that’s part of the reason why we see that sometimes, cyber security is not integrated into the rest of the IT organization,” said Mark Nicholson, a principal in Deloitte’s Cyber Risk practice. “That makes it very difficult to be nimble and get things done, and it can become a real roadblock. But it’s critical.”
Having security “baked in” to all processes and products also critical to good security moving forward, the report found.
“Cyber can't be a standalone anymore. It has to be pulled through as you're rethinking products and your business transformation,” Nicholson said. “If it’s not baked in, the cyber security controls become a slowdown to production—sort of a speed bump.”
Data is another critical tentpole in effective cybersecurity, especially as it continues to grow exponentially. IDC, for example, reports that worldwide data will grow 61 percent to 175 zettabytes. A growing percentage of data is generated by connected devices. All of that data presents growing risks over time. The Deloitte survey found that 90 percent of organizations experienced disclosures of sensitive production data within the past year, while 41 percent experienced more than five. It also found that data integrity is the topmost concerning cyberthreat.
You can’t protect all of that data, so focus on securing the data that’s most valuable, the report recommends. The best way to do that is by improving policies on how to avoid disclosures of sensitive business production data. It’s also important to increase the use of DevSecOps. Yet the survey found that very few companies today use DevSecOps for cyber-defense.
Sisters Keren and Amit Elazari took a different approach to protecting the cyberfuture in their presentation “From Dystopia to Opportunity: Stories from the Future of Cybersecurity”. Keren Elazari, an ethical hacker, analyst and researcher, stressed the need for companies to welcome the efforts of “friendly hackers”—hackers that proactively attempt to penetrate systems to help organizations find and patch vulnerabilities. She said in the talk that friendly hackers might just be an organization’s best ally.
These hackers aren’t doing this out of the goodness of their hearts; they expect rewards. And they often get them, through “bug bounty” programs. Even some of the most conservative organizations in the world have bug bounty programs. Elazari cited one—the Pentagon—which in 2016 launched the Hack the Pentagon program. “From the moment the program was announced to the time they got their first valid submission was 13 minutes. How many weeks, months or years was that vulnerability out there? This program is changing people’s lives,” she said.
“Working with friendly hackers is the key to the future. That friendly offense that can help you identify the vulnerabilities and blind spots and help you develop better security measures,” she said “In my years in the hacker community I have met some brilliant people who may not conform to your idea of what a security professional looks like, but they have a lot to contribute. You are already enjoying some of the benefits of that hacker’s immune system because some of your favorite coffee chains, airlines, car companies and technology companies are working actively with friendly hackers.”
Amit Elazari Bar On, who focuses on computer crime and intellectual property law as director of global security policy at Intel, urged companies to create vulnerability disclosure programs. These programs typically outline the expectations and rules for accepting bugs and vulnerability discoveries by outside hackers, along with potential legal ramifications.
“If you haven’t established a process for receiving and handling vulnerability reports coming from external researchers… you are already behind.,” she said. Bar On suggested that companies look to the Department of Justice’s 2017 guidance and recommendations when establishing a bug bounty and/or vulnerability program.
“If we can establish those best practices and foster that collaboration, we might [reach] new horizons,” she said. “Here’s one example: By using the crowd of algorithmic auditors to uncover potential bias and discrimination in machine learning processing.
In some cases, preparing for a safer future requires less complex processes.
“It takes everyone in IT being willing to simplify,” Nicholson said. “How many different versions of Adobe or different browsers do you have in the environment? It’s about basic, everyday decisions that can make protecting the enterprise more difficult.”