Digital Transformation, hybrid working, continual migration of services to the cloud is moving the technology landscape like never before. Subsequently this means the security landscape is moving along with it.
Cyber criminals also use the new technologies themselves. The stereotype of a cyber criminal sat at home with their hood up typing away at their computer couldn’t be further from the truth. In reality they’re putting on a hi vis jacket with a key card walking into the office and subverting systems from the inside.
This constant game of cat and mouse that security has always played with people wishing to break security systems is still going and it is going ever faster.
As a Chief Information Security Officer or a senior security executive, it is understandable how this ever-evolving threat landscape may keep you up at night.
So, what can you do?
Detecting threats is important, however it is more prudent and less expensive to dissuade malicious behaviour. Creating and promoting a security-aware culture within your organisation is KEY.
At our Spring edition of CISO Visions Leadership Summit Jason Maude, Chief Technology Advocate at Starling Bank spoke about two frameworks, DevSecOps and Zero Trust Systems, Starling Bank has embedded into their culture to avoid these issues arising.
DevOps was created to solve the issue of segregation of responsibility between developers and operations teams when problems occurred. DevSecOps is an extension of this whereby security culture, practices and tools are embedded into each phase of their DevOps pipeline rather than security being another layer added on top to a finished product. By moving security left in the product life cycle security behaviours will be more readily adopted as they’ll fit seamlessly into the developer’s workflow.
Security as code is a crucial factor here. Developers can produce more secure work when tests, scans and policies are integrated into the code itself. You can avoid a lot of issues by maintaining code hygiene that is easy to read and maintain.
Zero Trust Systems- Sceptical systems
Zero Trust is hard to achieve, you can’t not trust anything. Systems that don’t trust anything will sit there and do nothing- this is NOT a good risk model. Anything could be an attack so it will deny any work from the outside.
What you really want is a sceptical system. A system that is intelligent enough to interrogate things coming in and work out whether they’re good commands or not.
Starling Bank makes a virtue of this from the point of reliability and security. The system checks the command:
- Has the command already been executed?
- Has the correct authority been given to perform the command?
These are important steps to make sure your systems are resilient in both reliability and security. If you know you have a reliable system, then any compromise is a problem and is very quickly noticeable. This creates a human firewall element whereby you check every problem and not allow any to escalate.
The most important thing in making sure all this new technology is secure is to have a culture embedded in your teams who are creating, deploying, and securing software that security is spread across as a responsibility on everyone. Security teams are there to advise not to ‘do security’. Security is everyone’s responsibility and ensuring it is spread out is a key thing.
Jason will be joining us at CISO VISIONS Leadership Summit on 9-11th of October at Twickenham Stadium. Discover more >>