Why Cybersecurity is Falling Short
If the old tactics aren’t working, where do we go from here?
It’s understandable that people read the headlines today and question cybersecurity’s effectiveness, or even its purpose. And to some extent, they’re right; companies’ cybersecurity efforts have fallen short lately. But why? Part of the problem is that security hasn’t kept pace with the changing nature of the attack vectors. Yet another factor is the way the security industry has been talking about risk of breaches and how to manage it.
The security industry shares some of the blame for the inadequacy of cybersecurity today. We tend to put out messages like, “it's a matter of when you get hit, not if you get hit.” And that has backfired to some extent because it unduly shifted attention to technologies or strategies that are focused on detecting an infiltration and then responding to it quickly.
But what we saw with recent highly destructive attacks like WannaCry is that they do a lot of damage super fast, so a strategy of “detect it and contain it as quickly as possible” will not be effective. The damage is already done. You also have to take into account what you can do preventatively to make yourself more resilient to these types of attack vectors.
The New Approach: Shift Left
And not only do we need to focus more on prevention, but we need to change the timing of that focus. The landscape shift that necessitates this new approach is two-fold: As the role applications play in our economy has increased in importance, contemporary application development methodologies like DevOps are, at the same time, increasing the speed and precision with which software is produced and deployed.
And as the speed and importance have increased, so has the risk, and the need for a new security approach. This new approach starts with “shifting left” – or shifting security back to when code is being created and the vulnerabilities are being introduced. To keep up with DevOps, and ensure security, the only effective option is to fix code as we go – rather than slow down the process with a list of security flaws to address right before release. And, ironically, DevOps gives us an opportunity to make this shift left successfully. Although many consider the speed of DevOps a “security killer,” we are starting to see that it is, in fact, the ideal security enabler. DevOps by its nature is a collaborative process, and this is encouraging developer and security teams to work together at different stages throughout the software development lifecycle, which engenders the ability to find and fix vulnerabilities earlier in the process.
Great Software Is Synonymous With Secure Software
In our current landscape, effective cybersecurity starts with educating and training developers, and giving them the technology to get feedback as they’re writing code. In this way, the act of writing software also becomes the act of writing secure software.