by Edward Vasko
I learned an unexpected lesson in cybersecurity when a friend of mine was telling stories about his Army days. During one training exercise, back in the ’80s, his battalion was working with air support from the brand-new Apache helicopters. This was the first time they saw them in action.
My buddy was handling communications (encrypted, of course) with the gunships. Just as they were appearing over the treetops, the encrypted channel went down. He had to make a split-second decision; lose the air support or flip the switch and transmit in the clear. He flipped it to save the comms, relying on his training and instinct.
The military takes security seriously, but they bypass it the second it interferes with the mission.
As I considered my friend’s story, my mind took me down a path to civilian life. I made an association: This happens in business, too, albeit under considerably different circumstances.
You’ve all heard stories of employees deliberately ignoring or bypassing security controls, anything from sneaking in shadow IT to propping open a door meant to stay locked. They don’t ask for permission, because they expect the security team to say “no.’” The security team, in turn, expects users to take foolish risks just to save time and effort.
Related Reading: What Every Cybersecurity Pro Should Understand About Insider Threats
While these infractions don’t equate to the decisions our men and women in service make every day to protect our freedom, the bottom line is the same: To get security right, the security team and other business units need to meet in the middle. The goal is to balance security risks against business objectives and develop sensible controls that reduce the biggest risks with minimal impact on job performance.
That is, of course, easier said than done. Fortunately, we don’t have to start from scratch: We can build on lessons learned from secure software development practices.
Shift-Left DevOps Approach
Shannon Lietz, an expert in secure software development, wrote about the benefits of shifting security left in the software development lifecycle in 2016. The basic idea is for the security and development teams to work together to define security design constraints and shift security design decisions onto the developers. Ideally, that would reduce both security vulnerabilities and production delays.
This shift-left paradigm might be applied throughout the organization to develop reasonable security controls with minimal impact on employees’ job performance. The security team would have to collaborate with each business unit to identify the specific risks it faces and develop useful security controls. The goal is for the unit’s employees to understand the risks their unit faces and have the tools and knowledge to avoid them.
Both the threats and the jobs will change over time, so this should be an ongoing process, just like the continuous software delivery process Ms. Lietz described in her blog post.
Ideally, a culture of collaboration would turn the security team into a trusted ally, included early in any plans to change hardware, software, or business processes. They would be able to identify risks early on and find solutions that work best for the users.
Collaboration Opportunities
Although most organizations associate cybersecurity with IT or software development, every business unit or process faces security risks. The recent COVID pandemic has reminded us that security vulnerabilities span the entire organization.
Some businesses that stayed open had to quickly make operational changes that affected their security controls, often introducing new security vulnerabilities. Even something as simple as taking the temperature of anyone entering the workplace or asking workers to self-report symptoms introduces risk. Temperature and symptom data are personal health information, which should be collected, processed, and stored securely. This is an opportunity for your security team to collaborate with your Human Resources team to make sure the information is protected from unauthorized access.
Related Reading: The Business Continuity Shift: Ensuring Telework Security
Some businesses are also tracking employee movements in the workplace for contact tracing and infection prevention purposes. If a business contracts with a third-party vendor to provide location tracking, your security team should be collaborating with your Legal or Privacy team, to make sure the solution has appropriate security controls, the contract provisions require the vendor to secure the “data supply chain,” and the solution does not violate any labor, privacy or security regulations or agreements.
We’ve also heard many stories about the problem of abruptly shifting large numbers of employees from on-site to remote work. IT and security teams had to scramble to make sure each employee had the equipment, data access, and communications tools they needed to work securely from home. One of the most visible problems was finding available, reliable, and secure meeting options, and you probably heard/read by now the challenges Zoom had around security.
Zoom is also an example of how difficult it is to design secure solutions. When the pandemic hit, Zoom meetings were public by default, even though the service supported private meetings with tighter security controls. Hackers and trolls were quick to take advantage of the opportunities to Zoombomb unsecured classrooms and meetings. The bad publicity and the increased scrutiny of Zoom’s security control certainly hurt the company.
Related Reading: Stop! Using Online Collaboration Tools Until You Read This
This might have been avoided through better collaboration between Zoom’s security, marketing, and development teams. Zoom had several options, but they chose public-by-default, possibly because it is easier to set up and join public meetings. Businesses must consult IT and DevOps to weigh long-term security effects versus short-term gain when making decisions across the enterprise. In Zoom’s case, if they had chosen private-by-default instead, they might have attracted fewer customers in the beginning, but avoided a lot of the recent bad press.
Alternatively, they could have made the easy, public option the initial default, to attract users, and then switched the default to “private” after the service had a wider, experienced user base. At a minimum, simply improving the onboarding experience of new users by advertising the availability and advantages of private meetings could have helped.
There are always security tradeoffs with new communications tools, and it’s best for marketing and development to work closely with the security team.
Making It Work
The pandemic has been tragic in many ways. One good thing that a business is likely to learn from it, however, is a wealth of lessons to inform future disaster recovery planning. We all know that collaboration is easier said than done, but the recent pandemic has shown that it is necessary. In the next post, we’ll take a closer look at how to change security from being the guys that always say “no” to the allies who make it work.
Empower Yourself to Act Quickly When an Attack Occurs. Download the e-book.
- The six phases of a comprehensive IR plan
- The five steps required for getting started
- The factors and entities you need to consider when writing your IR plan
- How to practice your plan for responding to an incident
Edward Vasko, Senior VP DevOps, and Technology
Edward Vasko brings more than 30 years of diverse management, technical, and information security experience to drive Avertium’s overall technology strategy and platform integrations for target acquisitions. His ability to build high-caliber teams that can tackle the hardest cybersecurity challenges; and identify market opportunities that leverage service-wrapped offerings to provide value to clients have been celebrated by the industry and his peers.