Top of Page
 

InfoSecurity Professional INSIGHTS Newsletter

InfoSecurity Professional INSIGHTS is our bi-monthly e-newsletter, associated with our members-only digital publication, InfoSecurity Professional. Similar to the magazine, it will deliver timely, compelling content written with the professional development of infosecurity practitioners in mind.

InfoSecurity Professional INSIGHTS June Sponsor

Drexel University Advertisement

Online MS in Cybersecurity from Drexel University
Drexel University’s online MS in Cybersecurity utilizes the College of Computing & Informatics and College of Engineering’s network of professionals to give students access to the latest research, tools and insights, and prepares students to meet the workforce needs through rigorous academic and experiential practical training. Learn more »

June InfoSecurity Professional INSIGHTS

The Cybersecurity End Game Isn’t Just About Protection. It’s About Profits

By Sandip Dholakia, CISSP, CCSP

Tech showing server details
Photo Credit: Getty Images

Though staying secure is a cybersecurity professional’s priority, it isn’t the only one. Staying in business is just as important, no matter your title.

To be the best cybersecurity practitioner, you must embrace both the IT and business sides of an organization. More than your career depends on it.

At your service
Though functions may differ, security architect is almost an umbrella term for someone who provides the cybersecurity blueprint within an organization. To drive a security strategy, they must thoroughly understand end-to-end business processes as well as information security.

Sometimes the goals of security come in conflict with other service lines, particularly product development. Leadership typically wants to quickly produce functional, feature-rich products with minimal friction. Unfortunately, these teams too often see our cybersecurity recommendations (or even requirements) as adding time and costs to production schedules. Business requirements take priority over the security ones—after all, security is a supporting function/cost center while product makes money for the organization.

Here to help, not hinder
Such an attitude can make it difficult to get buy-in from a product team, including its leadership, to implement security measures, even now when cyber threats are rising—as is public awareness.

In my experience, the easiest way to incorporate security requirements in the design stage is first to find out the type of data an application will process and store. The data classification decides the amount and type of cyber protections needed for the application—and prevents us from over- or under-protecting products in development.

Implementing the right level of security controls before and during the deployment stage—threat modeling, dynamic code scans, pen testing, etc.—translates into direct savings if they prevent expensive exploits and breaches. That needs to be made clear to stakeholders inclined to balk at our involvement.

The challenges continue in the operations phase, where a product team always asks to log everything possible. This can add to storage costs and analysis time. Security architects can instead guide teams to select logs based on security and regulatory requirements. In the retirement phase, product teams typically want to dispose of data and media without careful consideration of the proper method of disposing data based on its classification. Security architects should provide them with a process and criteria to ensure retired product is securely destroyed.

Don’t forget the importance of training
Over the years, I have noticed that most developers resist security testing because they fear a security scan will break the application. Or they’ll discover something that will take time to fix and delay the release of the product. Here’s where a security architect can provide security training, so developers see these measures as proactive protections, not productivity stoppers.

In conclusion, let’s remember: An army needs air cover to advance in the battlefield. So too do security teams need support from upper management—employees will take us seriously only if management does. Let’s give them a reason to root for us by showing we understand them and want to help everyone achieve their goals.

Sandip Dholakia, CISSP, CCSP, is a passionate security professional who works as a principal security architect at SAP. He is the author of the ebook Logging for SAP S/4HANA Security available through Rheinwerk Publishing and SAP Press.


View INSIGHTS Archive >>

Ok