I'd like to discuss about how organizations can introduce security in organizations and be adapted to the ever-changing cybersecurity landscape while maintaining seamless operations.
What are some of the significant challenges that you faced to 'scale' security, and how did you address them? 🤔
Hi!
As per my perspective one of the primary ways to do it it’s by Security by Design. Following Shift Left way you can place security at design phase just applying security activities as Threat Modeling your design.It would earn you further effort and back and forth reviews, fix and re-test into the code. Having an up-to-date Security KB for this is paramount.
On top of that TM can be applied after the design face any time considered and any new feature or functionality added.
In addition carrying SATS test and pentest activities will help to have secure development
In my experience Larry, ensuring that top management are onboard with the whole security practices ‘slash’ security culture ‘slash’ security mindset had made the difference on whether a security programme had legs or not. With this in place, the challenges became significantly reduced. The main challenge I find is that shifting left, which means amongst other things, developers, operations, security, compliance teams all working in parallel, is not necessarily realised. This is not an unusual predicament however, and how can it be, considering knowing from traditional methods how time consuming it is to do security /compliance checks particularly on a complicated system(s)?
As GeyBorch has alluded to, there are several tools out there now that can help you do exactly this and my recommendation would be to invest in some time in this.
I’m just starting to work with the development team. Thank you for your kind words, let’s see how it goes!🤞
The comments about leadership alignment, cultural shift and making TM part of the SDLC are spot on and precisely how we went about it in my org.
Creating “security champions” out of the engineering org, e.g. across various squads or product teams who have a certain percentage of their time dedicated to security tasks e.g. Threat Modelling, security review of their code, vulnerability management of dependencies etc. is critical to how scaling the security function. This is usually only possible if that engineering leadership buy-in has been secured.
The engineering team is usually much larger than the “security team”, so shifting security tasks leftwards and making engineering security champions an “extension of the security team” has many side benefits including “scaling” the security practice. This also creates collaboration and partnership between security and engineering, as opposed to the traditional adversarial relationships that can ensue if security is seen as the people who “call your baby ugly” by finding flaws in your “engineering creation”.
Not a member yet? Become a member to join forum discussions, participate in community events and apply to write articles.
Create an accountEnter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
