Category: For technologists

Instilling a culture of cyber security at your organization requires your people to maintain a high level of knowledge and awareness about cyber security risks—and that takes an effective, impactful, and ongoing security awareness program.

Related: Deploying employees as human sensors

However, a security awareness program is only as good as its content. To ensure that your end users retain core concepts and knowledge, it’s important to contextualize topics and keep your people engaged during the entire training process.

Additionally, to hold their interest, the content must be fun.These results are achieved in a few different ways. Let’s take a closer look.

Make it engaging!

First and foremost, your security awareness program’s content must be engaging. Break up lessons into bite-size morsels, and carefully divide them by topics. Keep the interface simple, and include an interactive component, such as a short quiz, in each lesson.

Also, tailor content to the user’s specific role within the organization. You might show someone in a manager role, for example, content that helps them coach their team members and supervise any existing cyber security awareness processes.

Content quality is also integral to your organization’s cyber security because it’s directly tied to the completion levels of your training. When you provide quality content, your employees understand this is a subject you’re serious about.

They’ll be much more likely to stick with their cyber security habits; when they do, you strengthen your data security.

Customize your content

Along with making sure your content is engaging and of high quality, it’s also helpful to vary the media you use to deliver your content and personalize it to your organization’s needs. Otherwise, it’s likely that your users will never relate to it and take it seriously.

Lapointe

For example, you can use newsletters and desktop images as reference material and reminders of best practices. Deploy them after the learning activities or use them to promote key topics that you did not have the opportunity to cover during your program.

You can also promote your message with short, engaging online learning activities throughout the year, such as microlearning, nano-learning, videos, and gamified Cyber Challenge modules.

Take the time to carefully consider and customize the content you want to include in each program campaign, too. To make your selection, you must consider many variables, including the risks, the behavior you want to change, your participants’ motivation, your organization’s culture, your training budget, and your capacity to implement and distribute the content in various forms.

Course customizations can also include things like your logo, brand colors, links to your organization’s policies, photos, videos, and other visuals relevant to your organization.

When customizing your program content, avoid over customization. In other words, don’t cover too much information in a single course. Your goal should be to turn participants into security advocates, not experts, so tailor your content with that in mind.

Vary your tools

Everyone responds to messaging differently. Fortunately, there are an assortment of awareness tools available; which ones you choose will depend on the context and the target audience.

Online courses, for instance, allow you to reach a broad audience quickly. They offer a way to address specific learning objectives, and they generally have higher retention rates due to the interactivity that comes with online training.

Live presentations, on the other hand, are the ideal format to share valuable security-related information with executives and senior managers, because they are short (15–20 minutes) but long enough to cover the specific awareness concerns of leadership (e.g., threats and relevant news stories).

Live presentations can also be used for general audiences; they allow them to ask questions and hear from their peers.

After launching a campaign, use reinforcement tools to repeat the key messages covered in the awareness training. That will send the message home, ensure participants don’t forget best practices, and keep security top of mind.

Videos, newsletters, desktop images, web banners, games, and posters are just a few ways to increase retention, prioritize information security, and ultimately achieve your campaign objectives.

Instilling a culture of security at your organization is not a “one-and-done” project. It’s an ongoing process whose success depends on how engaging your content is.

But, by making sure you offer high-quality, engaging content in a variety of formats, you will go a long way toward making sure your employees learn, retain, and implement cyber security best practices.

About the essayist: Lisa Lapointe has dedicated her career to growing security-aware organizational cultures worldwide. Her company, Terranova Security, spearheaded personalized, people-centric security awareness programs that reform risky human behaviors. A resident of Quebec, Lise has ranked among both IT World Canada’s “Top 20 Women in Cyber Security” and WXN’s “100 Most Powerful Women” entrepreneurs in Canada.

(Editor’s note: This essay was adapted from LaPointe’s book, The Human Fix to Human Risk.)

Modern cyber attacks are ingenious — and traditional vulnerability management, or VM, simply is no longer very effective.

Related: Taking a risk-assessment approach to VM

Unlike a typical cyber attack that exploits a software vulnerability, recent cyber attacks exploit other security risks, such as misconfigurations, security deviations, and posture anomalies. But VM vendors tend to focus more on software vulnerabilities and leave out everything else.

SecPod’s research shows some 44 percent of the total vulnerabilities in a typical IT infrastructure don’t have a Common Vulnerabilities and Exposure (CVE) designation.

The consequences of a cyber attack can be devastating; from a rapid drop in brand reputation to loss of business and sensitive data. Cyber attacks can also invite lawsuits and can even be fatal.

In addition to real-time protection, effective VM can also help with compliance at a time when data security rules are increasing in regulatory policies like NIST, PCI, HIPAA and GDPR.

With traditional VM, achieving compliance is a struggle. But advanced VM provides an actionable way of adhering to regulations and policies mandates that call for risks to be identified and detected as part of ongoing data security.

While traditional VM is herky-jerky, advanced VM is a continuous and smooth process that results in much more efficient and detection, integration, and automation.

Further, effective VM can be very cost-effective; the potential cost saved in preventing cyberattacks is enormous when compared to total security expenditures.

Reinventing VM

The importance of effective VM can’t be overstated. Yet given the evolving IT environment, CISOs, sysadmins, and IT security teams are struggling to protect their networks.

Basavanna

Ideally, VM should be continuous and proactive, but traditional VM is jagged, broken, insufficient — and in desperate need of reinvention.

With traditional VM, detection is limited to software vulnerabilities, assessment and prioritization to a common vulnerability scoring system (CVSS) ranking, as well as remediation to patching. This approach only provides superficial visibility into IT infrastructure, and does not take into account lateral attack vectors.

Without automation, the laborious task of scanning and remediation is difficult. Additionally, multiple teams use multiple tools in traditional VM, leading to a disconnect and friction between them, further reducing the effectiveness of traditional VM.

The Jira misconfiguration leaks highlight the devastating impact vulnerabilities beyond those called on in CVEs can have in a modern environment. Modern cyberattacks exploit misconfigurations and other security risks, and research reflects the same. Some 31 percent of respondents to a recent ESG survey pointed to misconfigurations as the initial point of compromise for a successful ransomware attack.

Advanced capabilities

Advanced VM computes high-fidelity attacks and criticality to mitigate risks effectively. Traditional VM can only remediate software vulnerabilities with patches, while advanced VM fixes misconfigurations, normalizes deviations, and eliminates other security risks. So a dangerous new exploit that lacks a CVE designation and registers a low CVSS score can still be detected and remediated in a timely manner.

The lack of the right tools with enough capabilities and the inertia to shift to new technology are the main reasons why advanced VM is not yet adapted universally. But it’s only a matter of time before it gets widespread adoption.

Modern networks are becoming increasingly interconnected and massive. This means a larger attack surface, numerous security risks, and more work for IT security teams.

Advanced VM, with its broader detection, faster scans, and integrated remediation, is the only way of combating modern cyberattacks. Clearly, advanced VM is well positioned to be a core component of combating ever-evolving cyber attacks.

About the essayist: Chandrashekhar Basavanna is the founder and CEO SecPod Technologies, a cybersecurity technology company creating solutions for enterprise IT Security teams to prevent cyberattacks on the computing environments.

Organizations with strong cybersecurity cultures experience fewer cyberattacks and recover faster than others.

Related: Deploying human sensors

This results from emulating the culture building approaches of high-risk industries like construction that devote sustained attention to embedding safety throughout the organization.

For most organizations, building a cybersecurity culture is a necessary evil rather than a cherished goal. Prioritizing security means desirable cultural norms like openness, trust building, creativity, efficiency, and risk-taking might suffer.

Until a decade ago few organizations needed a cyber security culture. If the security industry catches up with adversaries, then the need for a cybersecurity culture will eventually fade away. Few will miss it.

Cybersecurity culture is a subset of the overall corporate culture. It harnesses beliefs and values to promote secure behaviors by employees in everyday work activities.

Model culture

Cybersecurity culture is necessary today because routine actions such as opening emails, responding to customer requests and using productivity software can put the organization at risk for ransomware and data breaches.

Inherently dangerous industries like construction provide a good model for culture building. Top performers know that systematically building and enforcing a culture of safety among all employees leads to success. This experience can be translated to the cyber realm.

Leading construction firms take an aggressive approach to creating a culture of safety:

•They make safety the organization’s number one priority. Management makes decisions that favor safety over other priorities such as cost, speed, and flexibility. That only happens with a real commitment from the top.

•Ongoing training ensures employees can confidently perform the safety roles assigned to them. Time and money for training is another tangible example of a company’s seriousness.

•Managers ensure that employees are involved and committed by building safety into everyday routines and guarding against cynicism and noncompliance.

•Reward and punishment are used to translate the safety priority into consequences. Bonuses are awarded for going above and beyond. Those that fail to perform after constructive feedback are written up or terminated.

Few organizations are ready to make cybersecurity their top priority the way construction makes safety number one and it would be a shame if they had to do so. But sometimes there are ways to avoid the tradeoff, such as by designing new processes that are simultaneously more secure and efficient.

Cultural norms

The emphasis on building a cybersecurity culture can provide a convenient excuse to blame employees for security issues that don’t belong on their shoulders. A widely cited study concludes that close to 90 percent of data breaches are caused by employee error. But blaming end users makes matters worse. Employees feel ashamed and culpable, and may be less likely to report a problem when they see it for fear of being blamed.

Cybersecurity culture should not expect employees to be the main line of defense for an organization’s systems. What cultural norms are reasonable?

•Employees should be honest about security concerns and not feel shame when they click a link they should have avoided. The culture should encourage and reward transparent reporting.

•It is reasonable to expect employees to understand and follow the incident reporting.

•Employees should know who is responsible for information and operational security.

•Employees should be trained in and understand privacy laws and policies including GDPR and US privacy laws from California and other states where they do business.

Amusement park analogy

It is an open question about whether frontline and non-technical employees should need a cybersecurity culture at all. Consider an amusement park with a variety of thrilling but potentially dangerous rides like roller coasters.

Carr

Safety is built into the rides themselves. If there’s a power failure and a ride gets stuck with guests hanging upside down they should still be ok as long as the amusement park employees follow basic procedures like checking to make sure everyone is bolted in. All we expect of park visitors is that they don’t do something truly reckless like wriggling out of their seatbelts or standing up in tunnels.

Ideally, cybersecurity should work the same way. Let hardware and software makers build in security by design, cybersecurity staff make sure vulnerability scanning tools are deployed securely, and regular workers experience the thrill of their jobs or at least the mundane experience of safely traveling throughout their day.

About the essayist: Matthew T. Carr is co-founder and head of research and technology at Atumcell, which provides cyber security software and services for private equity firms and their portfolio companies. He is an award-winning cyber security researcher, inventor and penetration tester who helps organizations solve thorny security and privacy problems.

APIs have been a linchpin as far as accelerating digital transformation — but they’ve also exponentially expanded the attack surface of modern business networks.

Related: Why ‘attack surface management’ has become crucial

The resultant benefits-vs-risks gap has not surprisingly attracted the full attention of cyber criminals who now routinely leverage API weaknesses in all phases of sophisticated, multi-stage network attacks.

The collateral damage has escalated to the point where federal regulators have been compelled to step in.

Last October the FFIEC explicitly called out APIs as an attack surface that must, henceforth, comply with a new set of API management practices.

Guest expert: Richard Bird, Chief Security Officer, Traceable

I had the chance to visit with Richard Bird, Chief Security Officer at Traceable.ai, which supplies security systems designed  to protect APIs from the next generation of attacks.

We discussed, in some detail, just how far the new rules go in requiring best practices for accessing and authenticating APIs. Bird also enlightened me about how and why this is just a first step in comprehensively mitigating API exposures. For a full drill down, please give the accompanying podcast a listen.

There’s little doubt that the new FFIEC rules will materially raise the bar for API security. In the short run companies subject to federal financial institution jurisdiction will have to hustle to get their API act together; and in the long run other companies in other verticals should follow suit.

I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

The cybersecurity landscape is constantly changing. While it might seem like throwing more money into the IT fund or paying to hire cybersecurity professionals are good ideas, they might not pay off in the long run.

Related: Security no longer just a ‘cost center’

Do large cybersecurity budgets always guarantee a company is safe from ongoing cybersecurity threats?

According to research from Kiplinger, businesses are spending less money on capital equipment, especially as rumors of a mild recession in the future loom. However, organizations in 2023 know one crucial area to spend money n is cybersecurity.

Cyberattacks are becoming more frequent, intense and sophisticated than ever. In response, many businesses of all shapes and sizes will allocate funds to their IT departments or cybersecurity teams to make sure they’re well-defended against potential threats. They may incorporate tools such as firewalls or antivirus software, which are helpful, but not the only tactics that can keep a network secure.

Unfortunately, having a large cybersecurity budget does not necessarily mean a company has a solid, comprehensive security plan. Organizations can spend all they have on cybersecurity and still have pain points within their cybersecurity program. Threat actors will still use social engineering tactics like phishing or ransomware to target businesses, steal data and earn a significant payday.

Amos

One of the best ways to utilize a large cybersecurity budget is to take an intelligent threat approach. This approach involves companies using all their resources and information to determine which cybersecurity threats will most likely impact them. However, using this approach does not require vast amounts of spending.

An intelligent threat approach should leverage four key principles: accuracy; relevance; actionability; cost-effectiveness.

The information used to guide a cybersecurity program should always be accurate and relevant to existing and emerging threats. Additionally, identifying threats enables organizations to take action without spending too much of their resources. These four principles are fundamental if businesses want to build a cost-effective cybersecurity program.

Here are some do’s and don’ts that will help companies save on their cybersecurity budgets and still maintain good cybersecurity posture in an increasingly threatening environment.

Do:

•Research cybersecurity solutions before spending to find the most cost-effective options.

•Partner with a third-party cybersecurity firm to lean on for guidance.

•Focus on creating a mitigation and remediation plan to be proactive.

•Move toward a converged IT solution to bring together data analytics and cybersecurity.

•Eliminate tools that are not delivering valuable insights or solutions to the organization.

•Only adopt the necessary cybersecurity solutions based on the organization’s needs.

Don’t:

•Hire unnecessary personnel to handle cybersecurity tasks.

•Implement too many solutions, as it can lead to confusion and complexity. Only adopt the necessary cybersecurity solutions based on the organization’s needs.

•Overspend just for the sake of saying the cybersecurity team is well-funded.

Although a good cybersecurity strategy does require businesses to spend a considerable amount of money, not every strategy requires hundreds of thousands or millions of dollars to be strong, nor is every strategy complete just because it’s received an influx of funds.

Depending on the organization, it’s crucial to find the right cybersecurity solutions to ensure IT pros can perform their duties and protect the organization. Ultimately, companies should strike a balance between overspending and spending the right amount of money on valuable solutions and tools to ensure their defenses are as impenetrable as possible.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

One common misconception is that scammers usually possess a strong command of computer science and IT knowledge.

Related: How Google, Facebook enable snooping

In fact, a majority of scams occur through social engineering. The rise of social media has added to the many user-friendly digital tools scammers, sextortionists, and hackers can leverage in order to manipulate their victims.

Cybersecurity specialists here at Digital Forensics have built up a store of knowledge tracking criminal patterns while deploying countermeasures on behalf of our clients.

One trend we’ve seen in recent years is a massive surge in cases of sextortion. This online epidemic involves the blackmail of a victim by the perpetrator via material gained against them, typically in the form of nude photos and videos.

These sextortionists are some of the lowest forms of criminals, working tirelessly to exploit moments of weakness in their victims induced by loneliness and our most base-level human natures.

Since the dawn of civilization and economics, instances of fraud have always existed. Scholars have determined that the precursors of money in combination with language are what enabled humans to solve cooperation issues that other animals could not. The advancement of fraud has materialized parallel to that of currency.

Exploitation drivers

From the case of Hegestratos committing insurance fraud by sinking a ship in 300 B.C., to the Praetorian Guard selling the rights to the Roman throne in 193 AD, to the transgressions of Madoff and Charles Ponzi, fraud has always been embedded in society as a consequence of economics.

As technology has rapidly exceeded all historical imaginings, opportunities for fraudsters to exploit their victims abound. Digital exploitation refers to the abuse and manipulation of technology and the internet for illegal and unethical purposes, including identity theft, sextortion, cyberbullying, online scams, and data breaches.

The rise of digital exploitation has been a direct result of technological advancement and the widespread use of the internet in our daily lives.

Cybersecurity has similarly developed as a necessary countermeasure to prevent scammers from rampaging the privacies of citizens. Since fraudsters constantly seek new methods of exploitation, cybersecurity specialists are responsible for being identically innovative in anticipating future techniques of exploitation before they exist.

Modern measures of cybersecurity and digital forensics must not merely react to cases of fraud, but must proactively seek to exploit current systems as well in the aim of remaining vigilant against fraud-villains.

The success of digital exploitation can be attributed to several factors, including difficulty in keeping up with the latest security measures, increased reliance on technology and the internet, and a general lack of awareness and education about the dangers of the internet.

Countermeasures

To address the issue of digital exploitation, it is essential to raise awareness and educate people about the dangers of the internet, and to continue to develop and implement strong security measures to protect personal information and sensitive data.

McNulty

It may someday fall to the Federal government to deploy cybersecurity as a service such as community hubs or public utilities, but for the foreseeable future it falls upon private enterprises to assist clients suffering from a digital exploit in reclaiming their lives.

Digital Forensics experts are trained to follow digital footprints and track down IP addresses, cell phone numbers, email addresses, social media accounts and even specific devices used in these crimes. We can identify online harassers or extortionists with a high degree of success, arming clients with the evidence they need to confront a harasser, seek a restraining order or even press charges.

About the essayist: Collin McNulty is a content creator and digital marketer at Digital Forensics, a consultancy that works with law firms, governments, corporations, and private investigators

A new report from the Bipartisan Policy Center (BPC) lays out — in stark terms – the prominent cybersecurity risks of the moment.

Related: Pres. Biden’s impact on cybersecurity.

The BPC’s Top Risks in Cybersecurity 2023 analysis calls out eight “top macro risks” that frame what’s wrong and what’s at stake in the cyber realm. BPC is a Washington, DC-based think tank that aims to revitalize bipartisanship in national politics.

This report has a dark tone, as well it should. It systematically catalogues the drivers behind cybersecurity risks that have steadily expanded in scope and scale each year for the past 20-plus years – with no end yet in sight.

Two things jumped out at me from these findings: there remains opportunities and motivators aplenty for threat actors to intensify their plundering; meanwhile, industry and political leaders seem at a loss to buy into what’s needed: a self-sacrificing, collaborative, approach to systematically mitigating a profoundly dynamic, potentially catastrophic threat.

Last Watchdog queried Tom Romanoff, BPC’s technology project director about this analysis.  Here’s the exchange, edited for clarity and length:

LW: Should we be more concerned about cyber exposures than classic military threats?

Romanoff: Classic military threats will always merit significant concern due to their direct impact on life. But for most Americans, cyberattacks are a lot more likely to happen. They can cause severe economic or social disruptions and impact a broad crosscut of our society.

Incidents of nations using cyberattacks as an extension of military operations to disrupt or destabilize targets are on the rise. As part of criminal enterprises or economic warfare, nation-states using cyber-attacks can inflict damage without firing a shot and extend power beyond their borders.

Our report connects the threats from particular nation-states and showcases how this can accelerate risks for non-military organizations.

LW: Regulation hasn’t seemed to help much; data security rules have been highly fragmented, i.e., Europe vs. the U.S. and even state-by-state in the U.S.

Romanoff: Concerns about data privacy and cybercrime are fast-tracking the push for regulations.  In the U.S., tech has enjoyed “permissionless innovation” for much of its industrial existence.

As Congress continues to debate the role of Big Tech, increased state-level regulations, and worldwide regulations, policymakers are increasingly pressured to do something to increase data protections.

Romanoff

California is leading the effort at the state level and has passed the California Consumer Privacy Act (CCPA). Similar bills, including many data privacy bills, follow California’s lead. For example, Colorado, Connecticut, Utah and Virginia  have all signed privacy laws in the last few years, and fifteen other states are considering privacy laws.

The push for a national data privacy law would have an immediate and quantifiable impact, but sadly progress is stalled. Without a national data privacy law or laws, we are left with a fragmented regulatory landscape.

The EU is moving much faster to regulate digital security.  Between the General Data Protection Regulation (GDPR), Digital Services Act (DSA), the Digital Markets Act (DMA), and the emerging ePrivacy Regulation, the EU is framing the data security debate worldwide.

The overall impact of regulations has been on how businesses collect, process, and protect personal data. There will continue to be a push to increase transparency and accountability around data handling practices.  For example, the recent FTC complaint regarding GoodRX and the Illinois case against White Castle for violations of the Biometric Information Privacy Act (BIPA)  show that the norm is trending toward increased oversight.

LW: So what difference can regulation actually make in the next few years?

Romanoff: We should expect the government to break from the self-governance/marketplace regime that has been in place and move away from incentive-based cyber compliance. I expect to see more penalties for data leaks or non-compliance.

DMA and other EU regulations will come online, creating compliance hurdles for American companies.

We can also expect the U.S. government to work toward more oversight mechanisms by finding authorities that can be interpreted through a data-security lens.

LW: It’s certainly not a surprise that nightmare breaches keep happening; your report calls out lagging corporate governance as a major variable.

Romanoff: Cybersecurity in many organizations is considered a cost, not an investment. Too often, cyber leaders are not included in board discussions or c-suites, and thus cybersecurity isn’t integrated into business decisions. This will continue to be a challenge until security is built into the business model or product from the beginning.

For example, one of our working group members talked about the need to create software development teams that knew cybersecurity just as well as UX/UI. Traditionally these are different teams- one team builds the software product, and another one tests it for vulnerabilities.

When you have a team that builds a product with cybersecurity as part of its functionality, that’s when you have full integration. It’s the same for corporate governance- when cyber is built into a product, we know this risk is being meaningfully addressed.

LW: Will infrastructure threats and/or disruptions be a catalyst?

Romanoff: Infrastructure and utility disruptions pull cybersecurity from the abstract into reality for most Americans. These sectors continue to be targeted, and events like the Colonial Pipeline shutdown pushed government agencies and companies to prepare for attacks.

No system, no matter how well protected, is 100 percent safe from attack. What is important to highlight is the resilience and contingency planning that organizations should build into their strategy before being the disruption case study.

I commend the work that CISA and DHS are doing to help organizations build out that resiliency. By partnering with cyber leaders in these sectors, CISA is working to mitigate risks before they become disruption events.

LW: What is an optimistic scenario for shrinking the trajectory of cybersecurity risks, as laid out in this report?

Romanoff: Hopefully, some of these risks will be addressed and become part of standard resilience and contingency planning.  However, eight of the risks we identified are not new. They have been a concern for some time.

We hope that the framing of this report will spur action, especially at the policy level, to allocate the necessary time and resources. Our report is a baseline for 2023, and we hope to update it as new risks emerge or as risks are addressed meaningfully, mitigating their impact.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

This year has kicked off with a string of high-profile layoffs — particularly in high tech — prompting organizations across all sectors to both consider costs and plan for yet another uncertain 12 or more months.

Related: Attack surface management takes center stage.

So how will this affect chief information security officers (CISOs) and security programs? Given the perennial skills and staffing shortage in security, it’s unlikely that CISOs will be asked to make deep budget or staffing cuts, yet they may not come out of this period unscathed.

Whether the long anticipated economic downturn of 2023 is a temporary dip lasting a couple quarters or a prolonged period of austerity, CISOs need to demonstrate that they’re operating as cautious financial stewards of capital, a role they use to inform their choices regardless of the reality — or theater — of a recession.

This is also a time for CISOs to strengthen influence, generate goodwill, and dispel the perception of security as cost center by relieving downturn-induced burdens placed on customers, partners, peers, and affected teams.

For CISOs to achieve these goals, here are five recommended actions:

Tie security to the cost of doing business. CISOs should not allow their board or executive team to continue believing that cybersecurity exists solely as a cost center. In other words, they shouldn’t detail how cybersecurity spending drives revenue and that cuts to the security program directly affect relationships and requirements with three key constituencies: customers, insurers, and regulators.

Instead, they should defend their security budget by quantifying investments in required security controls — and how much revenue is generated from the systems those controls protect. Ultimately, cybersecurity can become a profit center when customers, insurers, and regulators require it.

Demonstrate secure practices to customers. Your customers’ security teams are navigating the same downturn pressures. They still need to collect audit and security information from vendors and they may have fewer employees to complete the work. CISOs should prioritize security initiatives that drive the top line and increase customer stickiness, such as bot management solutions that improve customer experience, then they should inform customers of the steps taken to thwart costly application attacks.

These include such initiatives as monitoring for denial of wallet attacks in serverless functions, minimizing bot fraud, and keeping an eye on bug bounty program costs. Lastly, CISOs should automate processes such as security questionnaire responses and software bill of materials generation to give customers what they need before they ask for it.

•Support (as you influence) peers in other functions. Now is the time for CISOs to focus on key corporate objectives and ensure that their security initiatives demonstrate traceable alignment. If you didn’t start this practice in your early days as a security leader, take the time now to schedule regular meetings with peers across functions to stay current on their challenges, security needs, and points of friction.

From there, develop joint initiatives that further corporate objectives and provide services, resources, or assistance in the form of partial funding or staffing and friction-remediation efforts. This ethical politicking will make funding or resource allocation discussions more amicable. It will also extend goodwill toward the security organization in the future, when CISOs may need allies and evangelists to push through policy or process changes.

•Stop backfilling open positions (for now). No security leader wants to ask an already overwhelmed team to do more with less. Not backfilling certain roles, however, reduces costs voluntarily and minimizes the need for future involuntary cuts. For CISOs, this requires excellent communication and management skills when explaining to their teams why these roles will stay vacant.

Burn

This should include succession planning, associated upskilling, and job shadowing efforts for those who stick around. Provide an expected duration for the hiring freeze and work with regional nonprofits to bring on cost-effective cybersecurity apprentices — relieving some of the pressure while creating a pipeline of experienced talent at the ready when the freeze lifts.

•Resist the temptation to consolidate your partner ecosystem. Although cutbacks in this area may appear to be a practical cost-saving strategy, overcorrection in key areas such as cybersecurity, risk, and compliance could increase concentration risk, expose firms to disruption, and severely affect your operations. Given economists’ estimates that modern recessions last 10 months, CISOs should consider in their decision-making the time it takes to fully onboard a strategic supplier — typically six months or more — so they can ensure that they don’t miss out on opportunities when the economic pendulum swings in the opposite direction.

The outlined actions must be executed deftly at a time when instilling and maintaining trust with customers, employees, and partners is a business imperative. They also become crucial when factoring in how current geopolitical events and technology innovations continue to fuel a highly sophisticated and evolving threat landscape.

About the essayist: Jess Burn is a Forrester senior analyst who covers CISO leadership & security staffing/talent management, IR & crisis management, and email security.

APIs (Application Programming Interfaces) play a critical role in digital transformation by enabling communication and data exchange between different systems and applications.

Related: It’s all about attack surface management

APIs help digital transformation by enabling faster and more efficient business processes, improving customer experience, and providing new ways to interact with your business.

Whether an API is exposed for customers, partners, or internal use, it is responsible for transferring data that often holds personally identifiable information (PII) or reveals application logic and valuable company data.

Therefore, the security of APIs is crucial to ensure the confidentiality, integrity, and availability of sensitive information and to protect against potential threats such as data breaches, unauthorized access, and malicious attacks.

API security is essential for maintaining the trust of customers, partners, and stakeholders and ensuring the smooth functioning of digital systems. If API security is not properly implemented, it can result in significant financial losses, reputational damage, and legal consequences.

So, how can you ensure your API security is effective and enable your digital transformation?

Attack vector awareness

Hackers want to intercept and exploit API vulnerabilities to gain access to API endpoints and data. Over the last few years, we have observed that APIs are the favorite attack vector for hackers.

The losses to US companies due to API data breaches are estimated between $12 billion – $23 billion in 2022 alone, in an article in DarkReading. A study by the Marsh McLennan Cyber Risk Analytics Center and Imperva analyzed 117,000 unique cybersecurity incidents and estimated that API security issues result in US$ 41 to 75 billion of losses annually.

Why traditional approaches to securing APIs are not sufficient

Rao

As the adoption of APIs grows, the demand for security solutions increases. But, we have seen that the traditional approaches to securing APIs, such as basic authentication and IP whitelisting, are no longer sufficient in today’s rapidly evolving digital landscape.

Organizations must adopt a modern, comprehensive approach to API security that includes a combination of technical controls, policies, and processes to secure APIs effectively in today’s dynamic digital landscape.

To address this demand, a number of vendors have entered the market to provide solutions to help businesses secure their APIs. However, many of these vendors are providing solutions for managing APIs, not for securing these APIs. For example, security monitoring tools are not able to track API usage and activity. Due to this, these tools aren’t able to provide any actionable insights based on the data they collect.

API observability

Businesses can secure APIs with the “Shift-left and Automate-Right” approach across the entire API lifecycle.

Securing APIs across their entire lifecycle involves multiple stages, including design, development, testing, deployment, configuration, and maintenance. Each stage requires different security measures to ensure the confidentiality, integrity, and availability of sensitive information.

There are several models for API security that organizations can adopt to secure their APIs like a five stage approach described below;

•Discover: Make sure you have a complete view at all times. Manual tracking is hard so Automate API asset tracking to gain total visibility; proactively track and notify any changes in APIs so there is no guesswork. Also unveil the hidden topology behind API and application traffic with reconstruction.

•Observe: Start analyzing and controlling what should really exist. Detect and alert for Zombie & shadow APIs within the ecosystem. Things can break anytime so having 360 degree API observability for SRE is important. Start with basics to secure against OWSAP Top10 and key them updated.

•Model: Define organization-wide best practices with the flexibility to extend by the domain teams. Define data constraints to protect against attacks. Detect and prevent suspicious activity before it causes damage. Measure and protect your API with rate limiting, authZ and authN, data validation, versioning, and error handling.

•Act: Enforce best practices seamlessly without becoming a bottleneck to Increase API accuracy & resilience. Set up API Audits to track API calls, API responses, API errors, and API data accuracy. Monitor API for detailed API reports on API health, API usage, and API Performance. Automate API testing to track API behavior.

Insights: Derive insights holistically and not just at each API level. Maintain high standards with automated maturity scorecards. Make service ownership a reality. Set standards, give guidance, and measure adoption. Build a Culture of Continuous improvement.

By implementing security measures at each stage of the API lifecycle, organizations can ensure that their APIs are secure, and that sensitive information is protected against potential threats.

Together, these elements form the foundation for a practical approach to securing APIs. Continually reviewing your API security is a best practice for good governance.

About the essayist:  Rakshith Rao is the co-founder and CEO of API lifecycle management tool APIwiz. Rak brings 17 years of experience in enterprise technical sales leadership, including at Apigee and Google, DataStax, and HP.

The IT world relies on digital authentication credentials, such as API keys, certificates, and tokens, to securely connect applications, services, and infrastructures.

Related: The coming of agile cryptography

These secrets work similarly to passwords, allowing systems to interact with one another. However, unlike passwords intended for a single user, secrets must be distributed.

For most security leaders today, this is a real challenge. While there are secret management and distribution solutions for the development cycle, these are no silver bullets.

Managing this sensitive information while avoiding pitfalls has become extremely difficult due to the growing number of services in recent years. According to BetterCloud, the average number of software as a service (SaaS) applications used by organizations worldwide has increased 14x between 2015 and 2021. The way applications are built also evolved considerably and makes much more use of external functional blocks, for which secrets are the glue.

Poor practices

In the field, people often copy and paste secrets into configuration files, scripts, source code, or private messages without considering the consequences. Source code repositories are cloned and take with them hard-coded credentials, resulting in an explosion of “secrets sprawl.”

To understand the magnitude of the problem, each year, GitGuardian publishes the number of secrets that have been mistakenly published on GitHub, the world’s first code-sharing platform. Thus, in 2021, more than 6 million secrets have leaked between the lines of code of developers, that is to say, more than 16,000 per day on average!

The projects hosted by the platform are mostly personal projects or open-source repos. Still, it is important to understand that these errors slip in easily and are difficult to identify and resolve. Even the most experienced developers can inadvertently publish this extremely sensitive information, giving access to the resources of the companies they work for.

Security specialists try to warn against the problem. Still, today the priority of boards of directors is to deliver value to customers faster than the competition, which means accelerating the development process. Combining flexibility and security is the source of all compromises, including when it comes to managing secrets.

It can be difficult to know where to start. That’s why we created a framework to help security managers evaluate their current posture and take steps to strengthen their enterprise secrets management practices.

Mitigating errors

You can start right away here with a straightforward (and confidential) questionnaire. The linked white paper explains the three stages of this process:

•Assessing secrets leakage risks

•Establishing modern secrets management workflows

•Creating a roadmap to improvement in fragile area

This model emphasizes that secrets management is more than just how an organization stores and shares secrets. It is a program that must coordinate people, tools, and processes, and also account for human error. Errors cannot be prevented, but their effects can be. That is why detection, remediation tools and policies, and secrets storage and distribution, are the foundations of our maturity model.

Segura

If you are wondering why secrets in code should be a priority among so many other vulnerabilities, just look at the recent security incidents of 2022: several major companies experienced the fragility of secrets management.

In September, an intruder accessed Uber’s internal network and found hardcoded admin credentials on a network drive. These secrets enabled the attacker to log in to Uber’s privileged access management platform, where many more plaintext credentials were stored. This gave the attacker access to Uber’s admin accounts in AWS, GCP, Google Drive, Slack, SentinelOne, HackerOne, and more.

In August, LastPass suffered a similar attack. Someone stole its source code which exposed development credentials and keys. Later in December, LastPass revealed that an attacker had used the stolen source code to access and decrypt customer data.

In fact, source code leaks caused major issues for many organizations in 2022. NVIDIA, Samsung, Microsoft, Dropbox, Okta, and Slack were among those affected. In May, we warned about the large number of credentials that could be harvested from these codebases: with these credentials, attackers can gain leverage and move into dependent systems in what is known as supply chain attacks.

In January 2023, CircleCI was breached. Hundreds of the continuous integration provider’s customers’  variables, tokens, and keys were compromised. CircleCI urged its customers to change their passwords, SSH keys, and any other secrets stored on or managed by the platform. Victims had to find out where these secrets were and how they were being used to take emergency action. This highlighted the need for an emergency plan.

Taking secrets seriously

Attacks have become more sophisticated, with attackers recognizing that compromising machine or human identities yields a higher return on investment. This is a warning sign of the need to address hardcoded credentials and secrets management.

Cybersecurity teams are taking hard-coded secrets in source code seriously. Companies understand that source code is now one of their most valuable assets and must be protected. A breach could result in business continuity issues, reputation damage, and legal proceedings.

The increasing prevalence of code and services means that software- and code-related risks will not dissipate any time soon. Hackers now target software practitioners’ credentials to gain access to IT infrastructure.

To combat these challenges, organizations must have visibility into vulnerabilities at all levels. This requires going beyond traditional practices and involving developers, security engineers, and operations in detection, remediation, and prevention.

Organizations must be prepared for secrets sprawl and have the right tools and resources in place to detect and remediate any issues in a timely manner. It’s time to take action!

About the essayist: Thomas Segura’s passion for tech and open source led him to join GitGuardian as technical content writer. Having worked both as an analyst and as a software engineer consultant for major French companies, he now focuses on clarifying the transformative changes that cybersecurity and software are going through.