From Website Security Architecture To The Boardroom: Optimizing Your Business

Threats and challenges There’s a compelling case for change because the website As companies embrace hybrid and public cloud services security landscape is evolving fast with growing levels of and support an ever-growing list of end-user devices, threat volume and complexity. To take a few examples from manageability and automation are now top of the agenda the Website Security Threat Report and elsewhere for IT professionals. This is just as true for website 1 management as it is for other IT domains. For example, • In one year, there were 318 major security breaches, companies with joined-up and automated certificate management systems are better placed to respond to exposing 429 million identities • Half of the applications tested (52 percent) had security vulnerabilities like the 2016 ‘Drown’ attack6 than companies that need to check certificates manually. vulnerabilities, according to Ponemon2 • Three-quarters of the websites had vulnerabilities • Distributed denial of service attacks took down more All this means that CISOs and IT security professionals well-known apps and services, most notably the DYN need to move faster just to stand still. To get out in front DNS attack3 requires a new approach altogether. • Zero-day vulnerabilities reached unprecedented levels, meaning that relying on signature-based malware scanning alone isn’t sufficient • Cybercriminals are now targeting digital certificates4 In other words, it’s getting harder and harder to protect critical systems and data from unauthorized access and to ensure compliance with evolving data protection regulations, such as the new EU General Data Protection Regulation5, not to mention credit card processing requirements such as the latest PCI-DSS standards. At the same time, website security teams need to deliver business-focused upgrades. For example, more and more websites feature end-to-end encryption to boost consumer confidence and get an SEO bump. The launch of Google Chrome 56 will accelerate this trend. Similarly, many organizations are switching to more secure SSL/ TLS certificates, eschewing SHA-1 encryption and domain validated certificates. As companies embrace hybrid and public cloud services and support an ever-growing list of end-user devices, manageability and automation are now top of the agenda for IT professionals. 3 I DigiCert, Inc. Challenges with a legacy approach 1. The silos of the lambs Another example of the risks of poor organization design is Unfortunately, there is a lot of ambiguity, confusion and the ‘too-busy’ department. For example, a recent NopSec a lack of accountability in IT security departments. Two- report9 found that it took financial services firms an average thirds of organizations have fragmented security practices, of 176 days to remediate a security vulnerability. This kind according to Ponemon7. They are designed around limiting of delay is largely due to complex manual processes. Yet job descriptions that focus on things – servers, applications these companies have big IT departments full of well- and devices – not the valuable data on them. meaning staff who are working long days – just like you. Your data doesn’t care about your divisions and There is clearly a pressing need for change. The starting departments. Nor do attackers. And yet everyone is sitting point is, of course, where you are today combined with in their own silo and monitoring their own systems. This best practice advice. For example, Forrester’s guidance person buys certificates, that person manages servers, this on building a robust security organization10 or Carnegie other person looks after endpoint virus protection and so Mellon’s strawman organization template11. Then there on. Management and accountability may only converge in are any number of management frameworks to draw on, the board room. such as McKinsey’s well-known 7S model12, which ‘stresses coordination rather than structure in Attackers don’t limit themselves to servers, end-user organizational effectiveness’. systems or email. They duck, dive and weave to get what they want. Your team should be doing the same to keep It isn’t necessarily a case of more people, more budget them out. or more resources. In fact, a well-designed organization automatically makes better use of existing resources. Yet the security of websites, applications and connected devices is a responsibility that falls on multiple teams. For Indeed, there is an argument that adding more people is a example, one team may find a vulnerability but another mistake. ‘Research shows that every time the size of a city has to investigate, research or patch it. This slows down doubles, innovation or productivity per resident increases by response times, both for prevention and cure. This 15 percent. But when companies get bigger, innovation or is a case where poor organization design can lead to productivity per employee generally goes down,’ according security breaches, class action lawsuits and board-level to Tony Hsieh, founder of Zappos. investigations when something goes badly wrong. Fred Brooks’s classic book, The Mythical Man Month, Organization is destiny explains why this happens in an IT context. As more people The way you structure your team, set its objectives, make get added to a late-running IT project, the added burden decisions and allocate responsibility determines the results of communicating between all the extra people increases you see. ‘Structure dictates the relationship of roles in an faster than the extra work they do. ‘Adding manpower to a organization, and therefore, how people function,’ says late software project makes it later,’ he says. management expert Gill Corkindale . ‘An outdated structure 8 can result in unnecessary ambiguity and confusion and The agile development methodology13 that has emerged out often a lack of accountability.’ of the software development world offers familiar model for empowering individuals to deal with rapidly-changing requirements. Agile may be a useful source of inspiration to busy IT security departments. Critically, this approach is adaptive rather than predictive and well-proven inside large IT organizations. 4 I DigiCert, Inc.
Please complete the form to gain access to this content