Category: Cyber Security

When cybersecurity experts talk about cyber resiliency, they’re talking about the ability to effectively respond to and recover from a cybersecurity incident. Many organizations don’t like to think about that — and it’s easy to see why. Many have invested heavily in tools designed to protect their networks from intrusion and attack, and planning for cyber resiliency means accepting the possibility that those tools might fail.

But the truth is, they might. In fact, they probably will. Even with the best tools on the market, it isn’t possible to stop 100% of attacks, which means it’s important to plan for the worst. In doing so, you can improve your cyber resiliency, which can significantly mitigate the damage caused by those inevitable attacks that manage to slip through the cracks.

Putting a plan in place that details how to handle a cyber-triggered business disaster is essential, but it isn’t always easy to get started. Here are the top five questions CISOs should be asking when it comes time to evaluate — and improve — cyber resiliency.

1. Do you have strong retainers in place? 

It’s difficult — not to mention dangerous — to go it alone. There’s no shame in seeking out help from experts. In fact, it’s usually the smart thing to do. Most organizations (hopefully!) don’t have significant experience when it comes to dealing with cyber incidents, but there are many third parties that can provide invaluable guidance and assistance.

Do you have a good incident response retainer in place? What about a good cyber crisis communications retainer? These are not things you want to be scrambling for in the midst of a disaster, but having them in place in advance can help you respond quickly and effectively. A technical incident response firm can support and validate containment and eradication of the threat, while a crisis communications firm can help you coordinate both internal and external messaging. Communication can often make or break an incident response, so don’t overlook that element.

2. Do you have well-defined cyber incident response plans and resiliency playbooks?

A cyber incident response plan deals primarily with the security team’s categorization, notification, and escalation of the technical incident, but a strong cyber resilience playbook details the various resources and workstreams that need to be activated for a broad, enterprise-level response effort. Key stakeholders and decision-makers across internal and external counsel, public relations, disaster recovery, crisis communications, business continuity, security, and executive leadership should be involved in this playbook — who is going to lead which workstream and what will the decision-making process look like?

There may be decision-making thresholds you can pre-define. Ransomware payment is a good example, particularly with the continuous rise in ransomware attacks. Can you align in advance on when your organization would consider simply paying the ransom? Maybe that threshold is a certain amount of time without key business functions, or maybe it’s a dollar amount. Aligning on those decisions in advance can save significant time.

This is also a good opportunity to align on the decision-making resources that might be needed, such as out-of-band communications or deciding whether certain incidents need to be handled in person. Do you need corporate apartments that can be sourced through procurement? Are there other external relationships that need to be established? Having these discussions early can ease coordination across the whole enterprise.

3. Are you testing your playbooks and third-party firms?

You can’t just put policies and procedures in place. You need to test them. And that doesn’t just apply to internal parties — you can bring your retained firms in to conduct tabletop exercises as well.

For an incident response retainer, you might have them lead the security operations center (SOC) in a technical tabletop exercise. This tests the coordination between the SOC and the incident response firm to see how well they know the relevant procedures in the incident response plan and whether they can communicate effectively. For a crisis communications firm, try having them lead a management-level tabletop exercise, since the firm would be spearheading external communications and ensuring that everyone is aligned on the messaging. It can be helpful to work through that messaging in an executive tabletop.

Of course, these tabletop exercises can also be combined. The incident response firm and the crisis communications firm can be tested with a mock incident that escalates from the SOC all the way up to an enterprise-level concern. This can help gauge their response capabilities as an incident becomes more serious, as well as their ability to effectively communicate that response.

4. Do you have a strong grasp of your most critical business processes?

Maybe more to the point, do you understand the critical path for those business processes? That means the third-party applications, the underlying infrastructure, the data center locations, and other key factors that go towards producing those processes. Do you have backup processing methods? Do you have a manual process method that you can use in a pinch? Do you have offline contact information for your third-party vendors so you can quickly and easily get ahold of them in the event that your data is locked up?

These are all critical questions that organizations need to be able to answer in the event of an emergency. Understanding that critical path can help you know who to call and which business process needs to be activated during an incident. The last thing you want is to discover that the contact information for all of your vendors is stored on a server currently encrypted by ransomware attackers.

5. Do you have a disaster recovery plan in place?

Do you know clearly — and in what sequence — you need to recover data and infrastructure? Do you know the exact point of recovery? Do you know the recovery time objective for recovering that infrastructure data? Depending on the process, that time objective might be 30 minutes, or it might be a week. Knowing that answer is essential not just for setting expectations, but for planning your recovery effectively.

Business continuity and disaster recovery programs don’t just need to be in place, they need to be evaluated with failover tests. For example, if your system has regional redundancies, you might conduct a test in which one region fails and the system immediately falls over to another region. The security and disaster recovery teams can then practice recovering the data for the region that “failed.” This serves the dual purpose of both making sure the failover is working and ensuring recovery systems are operating as planned.

Hope for the Best, Plan for the Worst

No one wants to believe they will be the victim of a cyber-triggered business disaster, but it’s always better to have a plan and not need it than to need a plan and not have it. But cyber resiliency is not something that can be “achieved” and forgotten. It needs to be maintained as the organization changes and scales over time. By keeping these concerns top of mind and conducting regular testing and tabletop exercises, you can help ensure that your resiliency remains strong even as the organization evolves..[…] Read more »….

The evolving threat landscape is making identity protection within the enterprise a top priority. According to the 2022 CrowdStrike Global Threat Report, nearly 80% of cyberattacks leverage identity-based attacks to compromise legitimate credentials and use techniques like lateral movement to quickly evade detection. The reality is that identity-based attacks are difficult to detect, especially as the attack surface continues to increase for many organizations. 

Every business needs to authenticate every identity and authorize each request to maintain a strong security posture. It sounds simple, but the truth is this is still a pain point for many organizations. However, it doesn’t need to be.

Why identity protection must be an urgent priority for business leaders

We have seen adversaries become more adept at obtaining and abusing stolen credentials to gain a foothold in an organization. Identity has become the new perimeter, as attackers are increasingly targeting credentials to infiltrate an organization. Unfortunately, organizations continue to be compromised by identity-based attacks and lack the awareness necessary to prevent it until it’s too late.

Businesses are coming around to the fact that any user — whether it be an IT administrator, employee, remote worker, third-party vendor or customer — can be compromised and provide an attack path for adversaries. This means that organizations must authenticate every identity and authorize each request to maintain security and prevent a wide range of cyber threats, including ransomware and supply chain attacks. Otherwise, the damage is costly. According to a 2021 report, the most common initial attack vector — compromised credentials — was responsible for 20% of breaches at an average cost of $4.37 million.

How zero trust helps contain adversaries 

Identity protection cannot occur in a vacuum — it’s just one aspect of an effective security strategy and works best alongside a zero trust framework. To realize the benefits of identity protection paired with zero trust, we must first acknowledge that zero trust has become a very broad and overused term. With vendors of all shapes and sizes claiming to have zero trust solutions, there is a lot of confusion about what it is and what it isn’t. 

Zero trust requires all users, whether in or outside the organization’s network, to be authenticated, authorized and continuously validated before being granted or maintaining access to applications and data. Simply put, there is no such thing as a trusted source in a zero trust model. Just because a user is authenticated to access a certain level or area of a network does not necessarily automatically grant them access to every level and area. Each movement is monitored, and each access point and access request is analyzed. Always. This is why organizations with the strongest security defenses utilize an identity protection solution in conjunction with a zero trust framework. In fact, a 2021 survey found that 97% of identity and security professionals agree that identity is a foundational component of a zero trust security model.

It’s time to take identity protection seriously — here’s how 

As organizations adopt cloud-based technologies to enable people to work from anywhere over the past two years, it’s created an identity crisis that needs to be solved. This is evidenced in a 2021 report, which found a staggering 61% of breaches in the first half of 2021 involved credential data. 

A comprehensive identity protection solution should deliver a host of benefits and enhanced capabilities to the organization. This includes the ability to:

• Stop modern attacks like ransomware or supply chain attacks
• Pass red team/audit testing
• Improve the visibility of credentials in a hybrid environment (including identities, privileged users and service accounts)
• Enhance lateral movement detection and defense
• Extend multi-factor authentication (MFA) to legacy and unmanaged systems
• Strengthen the security of privileged users 
• Protect identities from account takeover
• Detect attack tools..[…] Read more »….

In today’s world, it’s important for every organization to have some form of vulnerability assessment and risk management program. While this can seem daunting, by focusing on some key concepts it’s possible for an organization of any size to develop a strong security posture with a firm grasp of its risk profile. We’ll discuss in this article how to build the technical foundation for a comprehensive security program and, crucially, the tools and processes necessary to develop that foundation into a mature vulnerability assessment and risk management program. 

Build the Foundation

It’s impossible to implement effective security, let alone manage risk, without a clear understanding of the environment. That means, essentially, taking an inventory of hosts, applications, resources, and users.

With the current computing environment, that combination is apt to include assets that reside in the cloud as well as those hosted in an organization’s own data center. Organizations have little control over their remote employees’ devices, who are accessing data on a bring-your-own-device (BYOD) basis, adding another layer of risk. There is also the aspect of software as a service applications (SaaS) that the organization uses. It’s essential to know what data is kept where. With SaaS, in particular, teams must have a clear understanding of who is responsible for the security of the data in contractual terms, so as to allocate resources accordingly. 

Manage the puzzle

Once the environment is scoped, managing it relies on three main components: visibility, control, and timely maintenance. 

Whether it is software vulnerabilities, vulnerable configurations, obsolete packages, or a range of other issues, a vulnerability scanner will show the security operations team what’s at risk and let them prioritize their reaction. That said, scanners, external or internal, are not the only option. At the high end, a penetration testing team can probe the environment to a level that vulnerability scanners can’t match. At the low end, establishing a process to monitor public vulnerability feeds and verifying whether newly exposed issues affect the environment can provide a baseline. It may not give as deep a picture scanning, or penetration testing, but the cost in SecOps time is often well worth it.

Protecting the users is a major point and doesn’t always get the attention it deserves. Ultimately, that starts with user education and establishing a culture that enhances a secure environment. Users are often the threat surface that presents the greatest risk, but with proper education and attitude they can become an effective layer of a defense depth strategy.

Another important step to protecting users is adding multi-factor authentication (MFA). In particular, those that require a physical or virtual token tend to be more secure than those that rely on text messaging or email. While MFA does add a minor annoyance to a user’s login, it can drastically reduce the threat posed by compromised accounts and reduce the organization’s overall risk profile.

User endpoints are another area of concern. While the default endpoint protection included in the main desktop operating systems (Windows and MacOS) are quite effective, they are also the defenses every malware writer in the world tests against. That makes investment in an additional layer of endpoint protection worthwhile. 

The last major piece here is a patch management program. This requires base processes that not only manage the patch process, but also the assets themselves. Fortunately, there are multiple tools available that can enhance and automate the process, and a regular patch cycle can have vulnerabilities fixed before they are even developed into exploits.

Ideally, the patch management process includes a change management system that’s able to smoothly accommodate emergency situations where a security hotfix must go in outside the normal window.

Pulling it all together

With the foundation laid, the final step involves communication. Simply assessing risk is not useful if there is no reliable way to organize people to act on it.

Bridging the information security teams, who are responsible for recognizing, analyzing, and mitigating threats to the organization, and the information technology teams, who are responsible for maintaining the organization’s infrastructure, is vital. Whether an organization achieves this with a process or a tool is up to them. But in either case, communication is vital, along with an ability to react across teams. This applies to non-technical teams as well — if folks are receiving phishing emails, security operations should know. 

These mechanisms need to be in place from the executive offices down to the sales or production floor, as reducing risk really is everyone’s responsibility. Moreover, the asset and patch management system needs a mechanism to prioritize patches based on business risk. Unless the IT team has the resources to deploy every single patch that comes their way, they will have to prioritize, and that prioritization needs to be based on the threat to business rather than arbitrary severity scores.

 An Investment 

There is no “one size fits all” solution for risk assessment and management. For example, for a restaurant that doesn’t accept reservations or orders online, a relatively insecure website doesn’t present much business risk. While it may be technically vulnerable, they are not at risk of losing valuable data...[…] Read more »….

The world is currently in a frenetic flux. With rising geopolitical tensions, an ever-present rise in cybercrime and continuous technological evolution, it can be difficult for security teams to maintain a straight bearing on what’s key to keeping their organization secure.

With the advent of the “Log4shell,” aka Log4J vulnerability, sound vulnerability management practices have jumped to the top of the list of skills needed to maintain an ideal state of cybersecurity. The impacts due to Log4j are expected to be fully realized throughout 2022.

As of 2021, missing security updates are a top-three security concern for organizations of all sizes — approximately one in five network-level vulnerabilities are associated with unpatched software.

Not only are attacks on the rise, but their financial impacts are as well. According to Cybersecurity Ventures, costs related to cybercrime are expected to balloon 15% year over year into 2025, totaling $11 trillion.

Vulnerability management best practices

Whether you’re performing vulnerability management for the first time or looking to revisit your current vulnerability management practices to find new perspectives or process efficiencies, there are some recommended useful strategies concerning vulnerability reduction.

Here are the top nine (We decided to just stop there!) tips and tricks for effective vulnerability management at your organization.

1. Vulnerability remediation is a long game

Extreme patience is required when it comes to vulnerability remediation. Your initial review of vulnerability counts, categories, and recommended remediations may instill a false sense of confidence: You may expect a large reduction after only a few meetings and executing a few patch activities. This is far from how reality will unfold.

Consider these factors as you begin initial vulnerability management efforts:

• Take small steps: Incremental progress in reducing total vulnerabilities by severity should be the initial goal, not an unrealistic expectation of total elimination. The technology estate should ideally accumulate new vulnerabilities at a slightly lower pace versus what is remediated as the months and quarters roll on.
• Patience is a virtue: Adopting a patient mindset is unequivocally necessary to avoid mental defeat, burnout and complacency. Remediation progress will be slow but must sustain a methodical approach.
• Learn from challenges: As roadblocks are encountered, these serve as opportunities to approach alternate remediation strategies. Plan on what can be solved today or in the current week.

Avoid focusing on all the major problems preventing remediation and think with a growth mindset to overcome these challenges.

2. Cross-team collaboration is required

Achieving a large vulnerability reduction requires effective collaboration across technology teams. The high vulnerability counts across the IT estate likely exist due to several cultural and operational factors within the organization which pre-exists remediation efforts, including:

• Insufficient staff to maintain effective vulnerability management processes
• Legacy hardware that cannot be patched because they run on very expensive hardware — or provide a specific function that is cost-prohibitive to replace
• Ineffective patching solutions that do not or cannot apply necessary updates completely (e.g., the solution can patch web browsers but not Java or Adobe)
• Misguided beliefs that specialized classes of equipment cannot be patched or rebooted therefore, they are not revisited for extended periods

Part of your remediation efforts should focus on addressing systemic issues that have historically prevented effective vulnerability remediation while gaining support within or across the business to begin addressing existing vulnerabilities.

Determine how the various teams in your organization can serve as a force multiplier. For example, can the IT support desk or other technical teams assist directly in applying patches or decommissioning legacy devices? Can your vendors assist in applying patches or fine-tuning configurations of difficult to patch equipment to make?

These groups can assist in overall reduction while further plans are developed to address additional vulnerabilities.

3. Start by focusing on low-hanging fruit

Focus your initial efforts on the low-hanging fruit when building a plan to address vulnerabilities. Missing browser updates and applying updates to third-party browser software like Java or Adobe are likely to comprise the largest initial reduction efforts.

If software like Google Chrome or Firefox is missing the previous two years of security updates, it likely signifies the software is not being used. Some confirmation may be required, but the response is likely to remove software, not the application of patches.

To prevent a recurrence, there will likely be a need to revisit workstation and server imaging processes to determine if legacy, unapproved or unnecessary software is being installed as new devices are provisioned.

4. Leverage your end-users when needed

Don’t forget to leverage your end-users as a possible remediation vector. A single email you spend 30 minutes carefully crafting to include instructions on how they can self-update difficult-to-patch third-party applications can save you many hours of time and effort — compared to working with technical teams where the end result may be a reduction of fewer vulnerabilities.

However, end-user involvement should be an infrequent and short-term approach as the underlying problems outlined in cross-team collaboration (tip #2) are addressed.

This also provides an indirect approach to increasing security awareness via end-user engagement. Users are more likely to prioritize security when they are directly involved in the process.

Over the past two years, the pandemic has fundamentally altered the business world and the modern work environment, leaving organizations scrambling to maintain productivity and keep operational efficiency intact while securing the flow of data across different networks (home and office). While this scenario has undoubtedly created new problems for businesses in terms of keeping sensitive data and IP safe, the “WFH shift” has opened up even greater risks and threat vectors for the US public sector.

Federal, state, local governments, education, healthcare, finance, and nonprofit organizations are all facing privacy and cybersecurity challenges the likes of which they’ve never seen before. Since March 2020, there’s been an astounding increase in the number of cyberattacks, high-profile ransomware incidents, and government security shortfalls. There are many more that go undetected or unreported. This is in part due to employees now accessing their computers and organization resources/applications from everywhere but the office, which is opening up new security threats for CISOs and IT teams.

Cyberthreats are expected to grow exponentially this year, particularly as the world faces geopolitical upheaval and international cyberwarfare. Whether it’s a smaller municipality or a local school system, no target is too small these days, and everyone is under attack due to bad actors now having more access to sophisticated automation tools.

The US public sector must be prepared to meet these new challenges and focus on shoring up vulnerable and critical technology infrastructures while implementing new cybersecurity and backup solutions that secure sensitive data.

Previous cyber protection challenges

As data volumes grow and methods of access change, safeguarding US public sector data, applications, and systems involves addressing complex and often competing considerations. Government agencies have focused on securing a perimeter around their networks, however, with a mobile workforce combined with the increase in devices, endpoints, and sophisticated threats, data is still extremely vulnerable. Hence the massive shift towards a Zero Trust model.

Today, there is an over-reliance on legacy and poorly integrated IT systems, leaving troves of hypersensitive constituent data vulnerable; government agencies have become increasingly appealing targets for cybercriminals. Many agencies still rely on outdated five-decade-old technology infrastructure and deal with a multitude of systems that need to interact with each other, which makes it even more challenging to lock down these systems. Critical infrastructure industries have more budget restraints than ever; they need flexible and affordable solutions to maintain business continuity and protect against system loss.

Protecting your organization’s data assets

The private sector, which owns and operates most US critical infrastructure, will continue being instrumental in helping government organizations (of all sizes) modernize their cyber defenses. The US continues to make strides in creating specific efforts that encourage cyber resilience and counter these emerging threats.

Agencies and US data centers must focus on solutions that attest to data protection frameworks like HIPAA, CJIS, NIST 800-171 first and then develop several key pillars for data protection built around the Zero Trust concept. This includes safety (ensuring organizational data, applications, and systems are always available), accessibility (allowing employees to access critical data anytime and anywhere), and privacy and authenticity (control who has access to your organization’s digital assets).

New cloud-based data backup, protection and cybersecurity solutions that are compliant to the appropriate frameworks and certified will enable agencies to maximize operational uptime, reduce the threat of ransomware, and ensure the highest levels of data security possible across all public sector computing environments.

Conclusion

First and foremost, the public sector and US data centers must prioritize using compliant and certified services to ensure that specific criteria are met…[…] Read more »…

As with any merger, it is always difficult to predict an outcome until the final deal papers are signed, and press releases hit the wires.  However, there are clear indications that a tie up between these two is essential, and we will all be the better for it.  Data Governance has historically focused on the use of data in a business, legal and compliance context rather than how it should be protected, while the opposite is true for Information Security.

The idea of interweaving Data Governance and Information Security is not entirely new.  Gartner discussed this in their Data Security Governance Model, EDRM integrated multiple stakeholders including Information Security, Privacy, Legal and Risk into an overarching Unified Data Governance model, and an integrated approach to Governance, Risk, and Compliance has long been an aspiration in the eGRC market.  Organizations that have more mature programs are likely to have some level of integration between these functions already, but many continue to struggle with the idea and often treat them as separate, siloed programs.

As programs go, Information Security is ahead of Data Governance for its level of attention in the Boardroom; brought about primarily by news-worthy events that demonstrated what security and privacy practitioners had warning about for a long time.   These critial risks to the public and private sectors inspired significant, sweeping frameworks and industry standards(PCI, NIST, ISO, ISACA, SOC2) and regulatory legislation (HIPAA, GDPR, NYDS), and gave Information Security Officers (CISOs) a platform for change.

By contrast, data governance has been more fragmented in its definition, organization, development, and funding.  Many organizations accept the value of data governance, particularly as a proactive means to minimize risk, while enabling expansive use of information required in today’s business environment.   However, enterprises still struggle to balance information risk and value, and establishing the right enablers and controls.

Drivers

Risks and affirmative obligations associated with information are the primary drivers for the intersection of data governance and information security.  The reason that information security is so critical is that the loss ((through exfiltration or loss of access due to ransomware) of certain types of data carry legal and compliance consequences, along with impacting normal business operations.  And a lack of effective legal and compliance controls often lead to increased information security and privacy risk.

Additional common drivers include:

• Volume, velocity, mobility, and sensitivity of information
• Volume and complexity of legal, compliance, and privacy requirements
• Hybrid technology and business environments
• Multinational governance models and operations
• Headline and business interruption risks

Finally, an underlying driver is the need to leverage investments in technology, practices, and personnel across an organization.  The interrelationships of so many information requirements simply demands a more coordinated approach.

Merging the models

We chose Information Risk Management, to define a construct that encompasses the overaching disciplines and requirements.  First, we did so because it places the focus on information.  For example, the same piece of information that requires protection, may also have retention and discovery requirements.  Second, risk management recognizes the need to balance the value and use of information from a business perspective, while also providing appropriate governance or protection.  Risk management also serves as an important means to evaluate priorities in investment, resources, and audit functions.

The primary objective is to integrate processes, people, and solutions into a framework that addresses common requirements; and does so “in depth” for both.  Security people, practices and technologies have long-been deployed at many levels (in-depth) to protect the organization.  The same has not often been the case for governance (legal, compliance, and privacy) obligations.  New practices and technologies are enablers for ntersecting programs, and support alignment amongst key constituencies, including Information Security, IT, Legal, Privacy, Risk and Compliance.  Done right, this provides leverage in an organization’s human and technology investments, improves risk posture, and increases the rate and reach of new practices and solutions.

Meshing disciplines and elements of each program are not meant as a new organizational construct; rather, it should start with a firm understanding of information requirements from key stakeholders; and from there establish synergies.  The list below, not meant to be exclusive, provides examples of shared enabling practices and technologies:

Conclusion

Integrating data governance, information security and privacy frameworks allows an enterprise to gain leverage from areas of common investment and provides a more comprehensive enterprise risk management strategy.  By improving proactive information management, organizations increase preventative control effectiveness and decrease reliance on detection and response activities.  It also develops cross functional capabilities across Privacy, Legal, Compliance, IT, and Information Security…[…] Read more »…

Like many things in life, with the security of your company’s application, you get what you pay for. You can spend too little, too much or just right.

To find the right balance, consider Goldilocks: she goes for a walk in the woods and comes upon a house. In the house, she finds three bowls of porridge. The first is too hot, the second is too cold, but the third is just right.

Goldilocks is the master of figuring out “just right.” To determine the appropriate security budget for your company, you need to be, too.

How much security effort is too much?

First, let’s explore the idea of overinvesting in security. How much is too much?

At a certain point with security, you start to see diminishing returns: issues still appear but more rarely. Security is never really “done,” so it’s tricky knowing when to move on. There’s always more to do, more to find, more to fix. Knowing when to wrap up depends on your threat model, risk appetite and your unique circumstances.

However, your company probably isn’t in this category. Almost nobody is. You certainly can get there, but you’re likely not there now. The takeaway is this: even though you’re probably not in this category yet, it’s important to know that security is not an endless investment of resources. There is a point at which you can accept the remaining risk and move forward.

The problem with too little effort

On the other hand, companies often spend too little effort on security. Almost everyone falls into this category.

Security is often viewed as a “tax” on the business. Companies want to minimize any kind of tax, and so they try to cut security spending inappropriately. However, most people don’t realize that when you cut costs, what you actually cut is effort: how much time you invest, how manual it is, how much attack surface you cover and how thoroughly you develop custom exploits. That’s a dangerous elixir because your attackers already invest more effort than you can. Cutting effort just cedes more advantage.

As a leader, you’re under tremendous pressure to make the best use of the limited money and person-power you have, and those resources need to cover a wide range of priorities. It’s sometimes hard to justify the investment in security, and even when you can, you aren’t always sure where the best place to invest it might be.

Here’s the harsh reality, though: the less you invest, the less it returns. When you cut costs too far, you prevent outcomes that help you get better. Achieving your security mission is going to cost you time, effort and money. There is no way around that. When those investments get cut to the bone, what’s really reduced is your ability to succeed.

The level of effort that’s “just right”

The trick to successful application security lies in finding your sweet spot, that magical balance where you uncover useful issues without investing too much or too little. There are many variables that influence this, including:

• The value of your assets
• The skills of your adversaries
• The scope of your attack surfaces
• The amount of risk you’re willing to accept

As a ballpark estimate, to do application security testing right is probably going to cost $30,000 to $150,000 or more per year, per application. Some cost far more than that.

That number might shock you; as discussed, most companies are in the category of spending too little. Security isn’t cheap because it’s not easy, it requires a unique skill set, and it takes effort.

However, doing security right is worth the price.

The incremental cost of doing security right is a tiny, microscopic spec compared to the gigantic cost of a security incident. Most importantly, since most companies struggle to do security right, those who do obtain an enormous advantage over their competitors. You want to be one of those companies. To get there, you need to invest appropriately.

There are no security shortcuts

Ultimately, you can’t achieve security excellence by going cheap. You can’t find the unknowns for cheap. You can’t discover custom exploits for cheap. You get what you pay for, and there’s no way around that. However, you also don’t need to spend endlessly either; even though there’s always more to fix, there is a point at which you can accept the remaining risk and move on.

The best approach is to channel your inner Goldilocks and find the budget that’s “just right” for your company. Figure out how rigorous and comprehensive an assessment your application requires, and don’t fall short of those standards…[…] Read more »….