December 07, 2023
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | Former Sr. VP & CTO of MF Utilities | BU Soft Tech | itTrident
As digital threats become more sophisticated, there’s a heightened focus on security testing, particularly among large enterprises. This trend is about integrating security protocols right from the initial stages of development. Tools that do SAST?and DAST are becoming essentials in testing workflows. ... The TestOps trend integrates testing into the continuous development cycle, echoing the collaborative and automated ethos of DevOps. TestOps focuses on enhancing communication between developers, testers, and operations, ensuring continuous testing and quicker feedback loops. It leverages real-time analytics to refine testing strategies, ultimately boosting software quality and efficiency. Extending the principles of DevOps, GitOps uses Git repositories as the backbone for managing infrastructure and application configurations, including testing frameworks. ... The rise of ephemeral test environments is a game-changer. These environments are created on demand and are short-lived, providing a cost-effective way to test applications in a controlled environment that closely mirrors production
Microsoft, CISA observes in its guidance, has acknowledged that about 70 percent of its bugs (CVEs) are memory safety vulnerabilities, with Google confirming a similar figure for its Chromium project and that 67 percent of zero-day vulnerabilities in 2021 were memory safety flaws. Given that, CISA is advising that organizations move away from C/C++ because, even with safety training (and ongoing efforts to harden C/C++ code), developers still make mistakes. "While training can reduce the number of vulnerabilities a coder might introduce, given how pervasive memory safety defects are, it is almost inevitable that memory safety vulnerabilities will still occur," CISA argues. ... Bjarne Stroustrup, creator of C++, has defended the language, arguing that ISO-compliant C++ can provide type and memory safety, given appropriate tooling, and that Rust code can be implemented in a way that's unsafe. But that message hasn't done much to tarnish the appeal of Rust and other memory safe languages. CISA suggests that developers look to C#, Go, Java, Python, Rust, and Swift for memory safe code.
For the organisation, this means the insider threat has not only become more pronounced but harder to counter. It requires effective management on two fronts in terms of managing the remote/mobile workforce and dissuading employees from swapping cash for credentials/data. For these reasons, businesses need to reinforce the security culture through staff awareness training and step up their policy enforcement, in addition to applying technical controls to ensure data is protected at all times. That’s not what is happening today. The Apricorn survey found only 14% of businesses control access to systems and data when allowing employees to use their own equipment remotely, a huge drop from 41% in 2022. Nearly a quarter require employees to seek approval to use their own devices, but they do not then apply any controls once that approval has been granted. Even more concerning is that the number of organisations that don’t require approval or apply any controls has doubled over the past year. This indicates a hands-off approach that assumes a level of implicit trust, directly contributing to the problem of the insider threat.
领英推荐
There are three leadership principles I would highlight that help build resilience in the team. First is recognizing the pace of change and responding to the impact it has on a team. It’s not getting slower; it’s getting faster. One of the behaviors that can help your team is to ‘explain the why.’ Set the context before the content behind what needs to be accomplished so we’re all on the same journey.?Second is recognizing that we have to instill a learning and growth mindset in the culture, in the leadership, and in the fabric of what we’re trying to achieve. Many businesses are shifting their business models from product to service, and as leaders, it’s important to build a level of learning in that journey for your teams. One of the leaders that I admire and have learned from is John Chambers, who has said, ‘It’s all about speed of innovation and changing the way you do business.’ If we don’t reimagine ourselves, we will get disrupted. Third is transparency around what the key priorities are — because not everything can be a priority — and then creating flexibility around those priorities and how we get to the outcomes.
While India’s stance on AI regulation has sometimes appeared to waver,?it is steadily working towards establishing a clear regulatory approach and AI governance mechanism, especially as the country assumes a more prominent role in the area of AI-related international cooperation.?AI-enabled harms and security threats exist at all three levels of the AI stack: At the hardware level, there are vulnerabilities in the physical infrastructure of AI systems. At a foundational model level, there are concerns around the use of inappropriate datasets, data poisoning, and issues related to data collection, storage, and consent. At the application level, there are threats to sensitive and confidential information as well as the proliferation of capability-enhancing tools among malicious actors. Therefore, while the governance of the tech stack is a priority, governance of the organisations developing AI solutions, or the people behind the technology, could also be productive. Even as democratisation has made AI more accessible, assigning responsibility and defining accountability for the operation of AI systems have become more difficult.?
The average person on the street would think it reasonable that a CISO should be responsible for all aspects of an organization’s security, Sullivan acknowledged. However, the reality is the CISO role is unique among executive positions. “The CISO is fighting an uphill fight every day in their job. They’re begging for resources, they’re trying to get the rest of the company to slow down and think about the things they care about,” he noted. “Our job is different from everybody else’s. When you’re the executive responsible for security, you are the only executive who has active adversaries outside your organization trying to destroy you,” he added. ... Despite the growing personal risks for CISOs, Sullivan emphasized that “we should not run away from the situation,” adding that “if we do, we’ll miss a huge opportunity.” He believes there is a fundamental shift coming in terms of the regulation that’s on the horizon in cybersecurity, which will force organizations to revise how they approach security, and current security professionals must be to facilitate this change.