This Halloween season, we’ve explored the deepest, darkest corners of cyberspace in our National Cybersecurity Awareness Month (NCSAM) blog series—from cyber spooks and digital demons to deathly data breaches and compliance concerns. Our panel of cybersecurity experts assembled to tell you the spookiest things they’ve seen in the digital world—and how many of the risks we face today can be vanquished by some good-old-fashioned vigilance and know-how.
In between mouthfuls of candy, and before the inevitable sugar crash, take a look back on our month of cybersecurity horrors, plus some foreshadowing on the dangers (and opportunities) that lie ahead.
Security Sins That Make Us Scream
Our series began with a look at the most egregious corporate cybersecurity sins witnessed by our experts over the last 12 months. Sending shivers down the spine, they recount tales of hyper-growth, in which companies amassed troves of sensitive customer information but left security programs behind and vulnerable. Stories of complicated vendor ecosystems, hidden vulnerabilities and incomplete security oversight left readers trembling over third-party threats. Our experts go on to warn of the dark dangers within—and how insider threats can be the deadliest. This is particularly true as teams, laser-focused on speed, adopt new tools in an autonomous and localized way, causing shadow IT to proliferate across digital environments outside of security’s control. Remember, a well-intentioned developer using an unsanctioned tool to get work done faster is still a potential threat.
Perhaps most horrifying were the stories of companies and people choosing to ignore warning signs, skip important security steps in the name of speed, sweep data breaches under the rug or give up on cybersecurity all together—without considering the consequences. Too many of these stories involve software and infrastructure security shortcomings. The time is now, our experts urge, to rethink the approach—to think more holistically and with more overarching composition. We can’t continue to bolt on new, (but myopic) tools that don’t communicate or collaborate, while adding new burdens atop already over-burdened security teams. It’s an unsustainable recipe for disaster that will ultimately crush your competitive edge and leave you alone in the dark. A modern digital era requires a fresh mindset and a holistic approach that harnesses the power of machines and the irreplaceable minds of cybersecurity practitioners, while also orchestrating risk management across security tools to gain a continuous and consolidated view of risk.
What’s Keeping Cybersecurity Pros Up at Night
In the rush to digital transformation, organizations are moving workloads to the cloud, adopting new technologies and expanding third-party networks to enhance their offerings like someone is chasing them. Cybersecurity professionals are struggling to even keep track of the assets they need to secure, let alone effectively secure them. Without a clear and comprehensive view of risk, they’re constantly looking over their shoulders, ready for an unnamed but always looming threat to emerge from the shadows. Making matters worse, since speed is the name of the game, software is developed and shipped faster than ever before—often at the expense of proper security.
In post two, our cyber experts foretell of new and emerging threats that keep them up at night—such as attacks on critical infrastructure that could paralyze entire cities or weaponized connected systems that could potentially cause human harm—as the lines between cyber and physical security continue to blur. They also warn of increasing attacks on popular open source programming libraries. As organizations of all sizes embrace CI/CD and agile methodologies, their reliance on open source code grows. Yet despite its many benefits, open source presents new and frightening risk to enterprise security in the form of rampant unpatched software vulnerabilities. Unlike commercial software that can be automatically patched and updated, open source users must keep track of vulnerabilities and manage their updates manually. Given the ubiquity of open source, this is a truly scary and daunting task for security teams. Tools that can orchestrate and automate the discovery of software bugs, flaws and vulnerabilities across open source components, applications and infrastructure can help teams enhance vulnerability management and significantly improve application security programs—while embracing open source with confidence.
The Cybersecurity Skills Shortage: What Nightmares Are Made Of
If you do end up falling asleep at night, these stats are sure to haunt your dreams. There are currently 2.93 million cybersecurity positions open and unfilled around the world, and the numbers are only getting worse. In the U.S. alone, over 300,000 cybersecurity positions remain open, prompting a top DHS official tasked with protecting critical infrastructure to recently declare the shortage a “national security threat.” Forced to fill the gaps and juggle an ever-expanding set of disparate tools, security teams are overworked, overtired and overstressed. Consider that some of the most popular talks in recent years at major cybersecurity events like RSA Conference and Black Hat addressed growing mental health issues across the industry—from anxiety and burnout to addiction and PTSD.
Its time to take on the monster in the room by shifting from awareness to action, our expert cyber panel urges in our third post. Prioritize your people by creating a culture of well-being that emphasizes self-care and work-life balance, providing in-house education and doubling down on cybersecurity recruiting efforts to find the right people to help lighten the load. But don’t stop there. Commit to new approaches that automate and orchestrate processes and empower your security team to scale and amplify their efforts—without adding complexity or sacrificing speed.
Zinger Halloween Tips for the Cybersecurity Mind
In the fourth and final NCSAM installment, our expert panel warns of the dangers of getting lost in the fog without a clear plan and full view of the threats lurking all around. To stay on the right path, security must remain in the forefront of conversation and play a role in all business decisions. To do this, security leaders must change their approach to communicating with executive teams and boards, moving away from scare tactics and F.U.D. (fear, uncertainty and doubt) to speaking the language of the business. This means building a strong case by focusing on business value and outcomes, creating a strategy that aligns with business goals, implementing frameworks to better quantify business risk in dollars and cents (i.e., the FAIR model) and devising a realistic roadmap with defined milestones and metrics.
Don’t try to outrun the bogeyman by cutting corners and choosing speed over security and compliance—particularly when it comes to securing the dynamic software development lifecycle. Conversely, don’t get scared stiff and end up with “analysis paralysis.” Focus on the fundamentals first. Are you following basic cybersecurity hygiene practices, such as patching software, managing new installs, changing passwords, limiting users, backing up data and employing a cybersecurity framework to protect your applications and infrastructure? Embrace DevSecOps by aligning security, operations and development teams to collectively identify and prioritize risks, tackle the most critical first and then expand to new areas over time. Remember—cybersecurity is an ongoing journey, not a final destination.
Stay safe out there, cybersecurity comrades, for the night is dark and full of terrors. But don’t fear, as we close out our NCSAM Halloween series, we’ll be getting back to our regularly scheduled programming here on the ZeroNorth blog… until next year!