What CISOs need to know about application security and cyber risk management

by | Oct 2, 2019 | Security Threats

Every Chief Information Security Officer (CISO) knows how important risk management is for the health and safety of the business. Enterprise applications and software systems are under a permanent state of threat, making application security and cyber risk management top priorities for successful CISOs.

But the role of the CISO in software and cyber risk management is changing due to several factors, such as increased attention to security from the C-suite and an increase in the sheer risk of cyber threats. Here is what every CISO should know about how to properly handle application security and cyber risk management.

Why application security risk management and cyber risk management matter

Application security risk management is the ability to not only identify application security risks within your organization, but also to prioritize and address them swiftly and appropriately. A proper application risk management strategy covers all types of applications, including web, desktop, third-party, open source, and custom applications being used, as well as any web services and APIs related to the applications.

This is a lot to cover, which is why it usually requires a combination of AppSec testing tools to provide comprehensive coverage. Multiple Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST) tools, and more must be deployed to identify and prioritize all application security risks within the organization.

At the same time, developers are often pressured to meet deadlines. Application security is often pushed to the side, addressed at the end of the development process, and not given the full attention it deserves.

This makes software applications more vulnerable to potential threats. And with vulnerabilities on the rise (a new record was hit in Q1 2019), application security can no longer take a back seat.

Cyber risk management is another piece of the larger enterprise risk management puzzle that has become increasingly important as more organizations undergo digital transformation. Cyber risk management refers to the organization’s ability to prevent and detect cyber threats.

But it also includes the ability to respond to any event that happens, in a way that causes the least amount of disruption to the business (operationally and financially). It is more than just a technology issue. It is a business issue, requiring attention from C-level executives. 

As organizations rely more on digital processes to run their business, cyber attacks have become a bigger threat, making cyber risk management a higher priority for CISOs in recent years.

The modern CISO’s role in application and cyber security and risk management

The risks associated with application security and cyber security are not going away; in fact, they are growing in size and becoming more serious. The attack surface is increasing due to more applications, more devices, and more data.

Threats are becoming more sophisticated and are constantly changing. A breach in cyber security has financial and operational impacts on the business, and of course damages the organization’s reputation.

A “good enough” approach no longer cuts it. CEOs and CFOs are beginning to realize this. They want to make sure an effective approach is in place, and they want to know that it is working. CISOs now actually have more support from upper executives, with a recent study finding that 82 percent of CISOs believe their leadership supports their team’s work to secure the enterprise’s applications, systems, networks, and data. 

But this also creates new challenges for CISOs, who not only need to address the growing threat landscape, but also have to communicate effectively with higher-level executives and foster a sense of understanding and common language between the C-level and security teams.

Here are some tips for how CISOs can tackle these issues:

Collaborate early 

The sooner CISOs inform business leadership of IT initiatives, the better. The CISO must make sure that high-level business executives understand the strategies relating to application and cyber security early on in the process. This will ensure you have managerial support and will prevent security being pushed aside in order to meet deadlines.

Change the culture 

The CISO and corresponding security teams cannot be seen as a roadblock that slows things down.  

Attention to security can actually set your business apart and make it stand out. Sell this concept to managers, so you can get others in the organization on board. 

Change the perception

Establish an application security and cyber risk management strategy to formally communicate how important it is to the organization as a whole. This should include a governance policy on security and regular training on security topics, as well as new developments in the threat landscape and new technologies available.

Build a common language 

The business side and the technical side don’t always communicate well, but CISOs can improve communication with agreed-upon terminology. Look to standards such as the International Organization for Standardization (ISO) to help select definitions that are accepted by all. Goals and strategies should be based on this common language, so there is a shared mindset on both the technical and business sides.

Share tools and data 

Tools for application security and cyber risk management should not only be used by security team members. They should also provide real-time metrics that C-level executives can access. 

Business executives should also have an understanding of how the tools used can position the company to properly monitor and protect against cyber threats, and how they can be handled quickly and appropriately if and when they do occur. 

The C-Suite also wants specific metrics and reports to see how efforts are going, which creates another CISO challenge. A recent survey found that executives and directors want reports that show how security efforts relate to business processes (not just technical jargon and statistics). They also want to see how vulnerabilities may actually impact the business. 

So rather than get a report on all of the vulnerabilities that can potentially cause an issue, they want to know which ones are of the highest priority and are most likely to cause an actual threat to the business. A tool that provides Hybrid Analysis Mapping (HAM) allows your security team to correlate the results from SAST and DAST tools quickly and accurately, so you can determine which potential security threats are the most exploitable, allowing you to properly prioritize vulnerabilities. 

Follow basic cyber hygiene 

Cyber hygiene procedures form the foundation of any effective cyber risk management strategy and include the basic actions needed to create a secure infrastructure that is less at risk of an attack. Basic cyber hygiene includes things such as performing regular updates, using secure access points, and creating a response plan should an incident occur.

Take an integrated approach to application and cyber security 

Periodic vulnerability scanning and security testing is not enough. A proper approach requires continuous and integrated testing, monitoring, and remediation. 

Use systems and tools that integrate with existing systems to make it easier to monitor, manage, and address risk. Visibility into if and how applications are being attacked after deployment is just as important as it is during development. 

The AppSec process does not stop once development is done. CISOs must arm their security teams with the right tools to monitor security in a production environment, so they can proactively monitor and respond to attacks if and when they occur.

Stay informed 

There are always new threats emerging and new tools and technologies to monitor and address them. CISOs need to stay educated on the latest cyber and application security risk threats, as well as technological innovations. 

Read the latest news from reputable industry sources. Listen to podcasts, such as those from Application Security Weekly or Enterprise Security Weekly.

Modern-day CISOs have a lot on their plate, especially when it comes to application security and cyber risk management. Following the best practices and tips laid out here and using the most effective and efficient tools available can help CISOs create a successful AppSec and cyber risk management program that pleases even the toughest of CEOs.