Intelligent CISO Issue 53 - Page 43

EXPERT OPINION seek ways of establishing a new chain of responsibility for incidents that is tied to change management , pushing for the leads of agile-driven projects to assume responsibility for any incidents that occur in the absence of security due diligence .
Security as standard
SecDevOps is one example of an attempt to change these cultures in favour of those that establish security as a must-have – a standard requirement for all projects . CISOs know enough to convincingly argue that it is easier , cheaper and more effective to build security in from the ground up . They need to hammer this point home and never allow security to be relegated to a QA-style add-on at the end of the development life cycle .
To keep their employees and customers safe in the modern threat landscape , enterprises and their technology teams must recognise that robust security does not end with mere regulatory compliance . CISOs are in a position to teach them that . They must argue for investment in the industry ’ s most effective tools and , if possible , the use of independent red teams – ‘ friendly ’ actors who pose as attackers to test cyber defences . Tools should be capable of monitoring environments and flagging errors in development and configuration . And the business should accept at a cultural level that no product or digital experience is fit for purpose until signed off by the CISO .
Today , digital experiences live in multiple environments . Security tools must allow teams to spot threats across hybrid and multi-cloud ecosystems . They must allow for software vulnerabilities and weaknesses in identity requirements . They must be scalable to allow enterprises to grow their ambitions and their offerings without having to consider the capacity of their security tools .
Slow and steady
It is natural for a line-of-business executive , or even a CIO , to want agile IT . In this respect , such stakeholders form the business ’ more reactive side . Their strategy concentrates on the next big delivery rather than the risks behind it . CISOs have a vital role to play in applying the brakes and negotiating a more measured response to competitive markets and demanding customers . They should remind their colleagues that the costly nature of cyber incidents is the stuff of headlines .
Agile projects definitely have their place in today ’ s enterprise . But sustainable success , as opposed to a series of risky quick wins , requires methodical , purposeful action . Many around the CISO may roll their eyes at the suggestion of ‘ slow and steady wins the race ’, but if security leaders doggedly lay out the costly alternatives , they may , over time , win hearts and minds . u www . intelligentciso . com
43