The Problem

Let’s face it, we have a problem. Hackers are breaching organizations’ software infrastructure and applications daily. Most of these breaches are preventable, but yet they still happen in ever-growing numbers. From my experience, I don’t believe that we are investing enough in the skills of the developers who are building our software as well as the engineers who create the deployment environments. Security needs to be baked in at all levels and this includes investment in the training of an organization’s software development staff.

I believe that there are widespread assumptions about the security education of software developers who have come out of four-year programs. These off-the-mark assumptions are driving the investment in the training of an organization’s development staff. Would you be surprised to know that “More than 76% of college-educated respondents said they weren’t required to complete any courses focused on security during their higher education study.”¹? Most developers (64%) learn their security skills on the job and that “a miniscule 4% said they learned their most relevant skills from third-party training.”¹? “Only about half of respondents said their employers paid for any additional training since they entered the workforce.”¹ Clearly, we can not assume that most software developers understand security risks in the code that they are developing.

I was surprised by these findings because as someone who was in college in the late 70’s through early 80’s, security wasn’t a big deal because most computers weren’t connected to a publicly accessible network. As the internet became available, usage expanded, and attacks became more common, I assumed that higher education would keep pace. However, it turns out that the curriculum guidelines created by the Association of Computer Machinery (ACM) recommend that someone pursuing a software engineering degree receive four to eight lecture hours of security-based training, that’s not per semester, but for their entire bachelor’s degree program. I’m stunned at this because I currently spend at least that much each month in professional study. I would not be surprised if executives who set the priorities for software development organizations are making the same false assumptions as I did.

In order to develop and deploy systems that follow a “Defense in Depth” strategy of embedding security into every level of an application, as well as its deployment environment(s), the managers, software developers, DevOps engineers, and operations engineers must have the necessary security skills.

How do we go about correcting this problem? I believe that we must begin by doing the following:

• Convince leadership that security must be baked into our software products, processes, and infrastructure; that not doing so may leave the company exposed to terminal risks (e.g. witness calls for the revocation of Equifax’s corporate charter). The priorities and budget for security must come from the top.
• Equip our software developers, DevOps, and operations engineers with the knowledge to do their jobs securely and efficiently and renew that training regularly because threats change constantly.
• Equip our software development managers with an understanding of how application security is baked into secure applications and the controls that can be implemented to do so.

We need to recognize that our development team’s security skills may not be at the level we think it is. Addressing problems with a “Defense in Depth” approach requires talented and knowledgeable staff. The first step in solving a problem is recognizing that we have one.

References

1. The DevSecOps Global Skills Survey: https://info.veracode.com/analyst-report-devsecops-global-skill-survey.html

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. We can ensure your Agile delivery processes are secured and efficient, while maximizing your investments.

I’ve been spending a lot of time lately with early startups and small business owners talking about privacy and security.  My previous jobs sent me into some very large enterprises to solve for some very large privacy and security concerns.  One has to ask, are these two worlds so different?  I’d have to say yes and no.  A recent series of outages involving an industry-specific ERP vendor understandably had business leaders in the marketplace upset.  Many days worth of revenue was lost and regulatory reporting was halted which, in turn, froze commerce in its tracks.   In fact, there is a certain amount of outrage amongst the customers experiencing the outages; there’s also a certain amount of learned helplessness.   This got me to thinking: how can we apply a little Fortune 500 wisdom to help out the folks just getting started?

In general, businesses should adopt a holistic approach to their commercial continuity needs.  While the challenges of fledgling industry software and service vendors may share the responsibility, there are broader issues business leaders should consider when developing their plans to accelerate commerce and ensure regulatory compliance.   Just as “compliance by design” is a mantra of certain industry pioneers, “availability by design” and “(cyber) security by design” are two best practices commonly employed by traditional lines of business; likewise, these measures should be adopted by emerging enterprises as well.

Continuity of critical business function has been a mainstream technology concern as far back as the 1970’s when federal regulations required the telecommunications industry to provide highly available 911 services through their networks.  “Five nines” of availability was the brass ring and billions of dollars were spent to achieve it.  Today, many of those lessons learned can be applied to our “as-a-service” economy.  Just as traditional businesses require high-availability from their vendors, small enterprises should vet their service providers for continuity, redundancy, and disaster recovery considerations.

Securing applications and productivity technology must also be a part of this plan.  Cybersecurity has recently become a hot topic and there is a lot of hype.  While nearly all business executives agree it is critical and cyber risk is now a board-level topic, the industry itself is constantly evolving.   No matter how large or small, it’s not a matter of if but when a business will be breached.

But where to start securing your business?  Consider taking a look at the Center for Internet Security’s (CIS) Guide for Small and Medium Size Enterprises (SMEs).  CIS is a non-profit entity comprised of global IT professionals who’s charter is to promote best practices for safeguarding against cyber crimes.  A copy of their SME guide can be found here:  https://www.cisecurity.org/white-papers/cis-controls-sme-guide/.  Recently, the California Attorney General endorsed CIS security controls as the “minimum level” of “reasonable security” measures.  Further, the AG’s report goes on to state, “failure to implement all the [CIS] controls that apply to an organization’s environment constitutes a lack of reasonable security.”  Anyone looking to do business in the Golden State should definitely familiarize themselves with the CIS Top 20.

With the widespread adoption of cloud computing, mobile accessibility, and social media, these are really exciting times.  Never before has it been easier to start something new and big.  Along with the opportunity comes some bumps in the road but business leaders don’t necessarily have to go it alone.  While the products and markets may be new and fresh, chances are someone has already spent sleepless nights solving the technology problems.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels.

Where is the best website for breach data history? This has been a common question and one that everyone seems to have a personal answer to. In the spirit of Cyber Security Awareness Month, here are some good resources to consider.

As breaches to our privacy continue on a daily basis, they can be hard to keep up with. These resources can help you justify and improve your preventative, detection, and responsive investments.

https://www.privacyrights.org/data-breaches – This site allows you to search on the data based on 8 Type categories (i.e. Payment card), 7 Organizational categories (Education, Military) and Year (back to 2005).

http://breachlevelindex.com/ – This site has good visuals and shows summarized data over time. It also allows for data compilation over Type, Industry, and Source.

http://www.idtheftcenter.org/Data-Breaches/data-breaches – The Identity Theft Resource Center has compiled breach data since 2005, and allows access to their summarized graphs and charts.

http://www.verizonenterprise.com/verizon-insights-lab/dbir/ – If you want a thorough and well-written report, then I suggest the Verizon at the Data Breach Investigations Report.

https://dashboard.healthit.gov/quickstats/quickstats.php – For good summarized information on healthcare, the Office of the National Coordinator for Health Information Technology provides up to date dashboards and data sets.

The recent Equifax breach shows what a massive and destructive force not learning from our mistakes can be. If you need any help in understanding how to put these lessons into practice, contact us at American Cyber Security Management.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels

The world seems to be a buzz about GDPR.  If you’re not buzzing – you’re not in the know.  People want to know what it is, who has to deal with it, when do they have to take action, and where they can turn to for help.   Simply put, GDPR is the European Union’s (EU) latest attempt to ensure that it can control the data protection for all individuals within the EU.  GDPR stands for the General Data Protection Regulation 2016/679 and was adopted by the European Parliament on April 14, 2016, which goes into enforcement on May 25, 2018.   It is the most important privacy change in the last 20 years.  If you offer goods and services in Europe, have European employees, partners, or suppliers, you’ll need to comply with some form of GDPR.

So, what does ‘comply’ mean.  For entities (people and companies) that you deal with from Europe, it means that you’ll need to ensure you are transparent with them about the data you collect, why you collect it, and what you intend to do with the data.  Also, before you collect their data you’ll need to get their permission to use it (explicit consent).  You’ll need to ensure you only keep it for as long as you need it and that you’ll protect it while you have it.   If something happens to the data (it’s lost, stolen, or corrupted) you’ll need to tell the person whose data was effected and the authorities (Supervisory Authority in Europe).   It’s a really good idea to encrypt the data and if you can you should anonymize it; which means removing the identifiable information.  If a European citizen asks you what data you are storing or processing about them, you’ll need to tell them and if they ask you to delete their data, you’ll need to do this too.  There are also some additional record keeping functions like data mapping and Data Protection Impact Assessments (DPAI), which you will need to regularly perform and keep up to date.  Plus, there are some financial penalties if you don’t ‘comply.’

Not all of this is bad.  In fact, it might actually be good news as companies will need to review their practices and programs in order to determine exactly what data they are collecting and why they are collecting it. These efforts alone will increase their maturity in data handling and system design   As data breaches become more common, utilizing these improved processes can only be a good thing when the companies we entrust with our information have to follow more strict rules.  If you would like more information about GDPR or if you need help understanding the complexity of the compliance.

Need help realizing the benefits of GDPR or converting your GDPR Project into a real Privacy Strategy, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialists can help you make sense of and comply with GDPR.

With the General Data Protection Regulation (GDPR) from the European Union (EU) nearing enforcement in May 2018, many still see it as a project.

Many enterprises still see GDPR as a project and not a privacy strategy. Here are some excerpts from conversations I have had with managers about GDPR:

• “Since Safe Harbor failed we’ll see what happens with GDPR.”
• “I don’t think it applies to us”, this was a SaaS based company.
• “We know this is very important, but we have so many other things to do.”
• “We really need help here; this is a very big deal.”
• “We have a project manager and myself, we need more help.”

GDPR implementations are still in their early days and time will tell on the impacts of non-compliance. However, it is clear that bringing together the regulatory and compliance sides of the enterprise with the mainstream product, marketing, and engineering sides is becoming more urgent. In an Agile culture of rapid delivery, integrated teams, and more intimate customer conversations, enterprises still struggle to fully incorporate their legal and compliance teams into the process. When was the last time you saw a lawyer in a scrum? Have your product owners ever engaged legal in defining a privacy model? It is hard enough to get security requirements into stories, how will enterprises incorporate privacy?

GDPR’s requirements around EU citizen rights will surely make an impact in how global enterprises handle EU citizen data. Many see this as a new default privacy model and embrace the change; others are still determining what it means to their organizations. In either case, GDPR shines a light on the opportunities for enterprises to integrate privacy, governance, and product in order to improve the quality of services we all consume.

Links to the specifics of this new regulation can be found on our site at https://www.americancsm.com/frameworks/gdpr/ and on the EU’s official website: http://www.eugdpr.org/

Need help realizing the benefits of GDPR or converting your GDPR Project into a real Privacy Strategy, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialists can help you make sense of and comply with GDPR.