Closing the Gap Between Innovation and Security
A little tech startup once held the mantra “move fast and break things.” As we’ve witnessed the social media network grow into a giant, the shadow of this philosophy haunts the company, as well as many others that followed in its footsteps.
The community platform updated its mission statement in 2014 to read “move fast with stable infra,” but the genie was already out of the bottle. This business attitude is still alive and well today.
Fueled by pressure from investors, stakeholders, and higher-ups who fear the speed of their competition, businesses are growing more rapidly than their infrastructure can be made secure. This creates major issues when companies are launching creative marketing campaigns, moving to the cloud, and generating highly engaging touchpoints with their customers, but they lack the security to protect themselves and their users in the long run.
As businesses race to expand their online presence to enrich products, deepen customer relationships and boost their brand ecosystems, we are seeing disastrous consequences. And once companies get big enough that security is a concern, it’s extremely difficult to retrofit protections into systems initially built without them, causing myriad challenges.
For example, web assets that are created outside of corporate controls expand a company’s overall internet presence, and therefore its attack surface, to unmanageable proportions. Even best efforts to guard against external cyber threats are coming up short, as businesses spend up to $171,233 every 60 seconds while attackers continue to proliferate and launch successful threat campaigns online.
Not only are companies realizing these high-profile breaches are expensive and wrought with challenges, but they’re also increasingly aware that they’re responsible for what happens to their customers and their customers’ data in the cloud and across the open internet. In the face of regulations like the EU’s General Data Protection Regulation, businesses get penalized for having such a lack of security.
One of the goals with these regulations is to bring security to the beginning of the conversation through financial penalty, especially for companies collecting a lot of personally identifiable information (PII). These companies might think they’re secure but will suddenly face million-dollar payouts when criminal groups breach their networks. Needless to say, there’s a lot at stake.
Security and innovation aren’t mutually exclusive, and organizations would do well not to treat them as such. IT professionals across sectors need to work together to employ responsible security practices as the foundation of innovation. When a creative team develops new assets and applications, it should automatically fall under the visibility and purview of the organization’s security team.
Proper quality assurance doesn’t stifle creativity. But when a poorly engineered system is the cause of a major disaster, innovation slows to a crawl because an entire team’s resources are required to repair damages.
As companies evolve online to make more meaningful touchpoints for their customers, partners, and employees, they’re also creating openings for bad actors to sneak through. Hackers prey on organizations that lack visibility into their attack surface because this allows them to access credentials and sensitive data more easily. Businesses must realize they are vulnerable well beyond the firewall, to the far corners of the internet.
At my company, where we build a map of a brand’s entire attack surface to give them the full picture of their internet assets, we understand the importance of helping companies find and understand what they’re responsible for protecting. A company simply cannot have a strong defense if it’s not willing to see (or doesn’t know how to see) the deep corners of its own web presence.
The security strategy at most organizations is a defense-in-depth approach, starting at the perimeter and layering back to the assets needing protection. But there are disconnects between that kind of strategy and the attack surface. As companies innovate and expand, so does their attack surface, making it vital to adopt security strategies to help executives better understand and defend against vulnerabilities so they do not bring creativity to a halt.
So how do business leaders and CISOs discover all of their internet-facing assets? Many teams do something similar to using Google to search for information, but they’re limited to using terms they’re familiar with in hopes of finding an answer — they can only search for which assets they know may exist. The problem here is a classic, “You don’t know what you don’t know,” scenario.
This is where automation and machine learning come into play. Organizations need an automated approach that includes broad internet data set collection and correlation to identify and respond to targeted external threats. Looking forward to the advancement of IoT devices, for example, this need will multiply. The conversation here isn’t just about a consumer’s bank accounts but goes all the way to preventing GPS vulnerabilities that show where they are.
To close the gap between innovation and security, business leaders and CISOs need to be moving fast without breaking things. The mindset has to change. Innovation and cybersecurity are not mutually exclusive, so business leaders need to cultivate a knowledgeable and cyber-aware workforce that recognizes cybersecurity as a culture, not just a product.
“Innovate or die” is in the DNA of startups. Given all of the drastic repercussions businesses are facing, it will become “Innovate securely or die.”
As we’ve seen recent startup sagas unfold, this insecure innovation ghost can come back to haunt companies that favor growth over security, instead of growth and security. Organizations that collaborate across departments to create a well-guarded attack surface will help to bake security into the foundation of innovation, product development, customer touchpoints, and marketing efforts for long-term efficiency and profits.
