For those who read ‘The Phoenix Project – A Novel about IT, DevOps and Helping Your Business Win,’ Chapter 21 stands out when it comes to security engagement in a typical organization. Side Note: the book is a DevOps must-read.
The dialogue between Eric, a board member at Parts Unlimited, the fictional company in question, and John, its CISO, captures it so brilliantly. Following a grueling audit meeting, Eric says, “Jimmy, Parts Unlimited has at least 4 of my family credit card numbers in your systems. I need you to protect that data, but you will never adequately protect it when the work product is already in production. You need to protect it in the processes that create the work product”.
Though written in 2013, anyone with DevOps experience can immediately relate to this scene.
When you attach a dollar value to this unfair perception, it suddenly turns on its head to become blatant strategic deficiency that enterprises cannot ignore.
According to the Ponemon Institute, the cost of a security breach in the US is $8.19 million.
Businesses, big and small (and in almost every industry vertical) experience the typical IT paradox – How to innovate faster, stay ahead of the competition, and at the same time, continue to stay secure.
Complex market dynamics such as competition, expanding consumer bases with variable preferences, coupled with geopolitical & seasonal fluctuations in demands, often put tremendous pressure on enterprise IT to provide an agile and high-velocity delivery model with newer and richer features.
Unfortunately, the above market dynamics often force organizations to ‘kick the can’ of security down the road, or to avoid it altogether. This is further exacerbated by where the IT security team sits (at the end of the line, often), and what it’s perceived relationship is with the org… they’re “innovation killers,” or “speed governors.” Their role is reduced to either being ineffective or auxiliary.
In this blog, we will focus exclusively on small to medium-sized businesses, who are increasingly more at risk of data breach and cyberattacks, due the insufficient security postures.
In the 2019 Global State of Security in Small and, Medium-Sized Businesses report by Ponemon Insitute, sponsored Keeper Security, found that:
• SMB experienced a 16.6% increase in a data breach from 2017 to 2019, going from 54% in 2017 to 63% in 2019.
• 66% of the SMBs suffered cyberattacks in 2019.
• 77% of the respondents surveyed, cited a lack of personnel to alleviate cyberattacks, vulnerabilities, and risks.
In summary, the overall security posture of an organization can be broad comprising of physical, network, infrastructure, and application security.
This blog and the next few blogs will be focusing primarily on application security. We will discuss this detail on how moving security to the left can greatly reduce the surface area of attacks, particularly in the realm of application and infrastructure security.