AllFrom Website Security Architecture To The Boardroom: Optimizing Your Business
From Website Security Architecture To The Boardroom: Optimizing Your Business
Threats and challenges
There’s a compelling case for change because the website
As companies embrace hybrid and public cloud services
security landscape is evolving fast with growing levels of
and support an ever-growing list of end-user devices,
threat volume and complexity. To take a few examples from
manageability and automation are now top of the agenda
the Website Security Threat Report and elsewhere
for IT professionals. This is just as true for website
1
management as it is for other IT domains. For example,
• In one year, there were 318 major security breaches,
companies with joined-up and automated certificate
management systems are better placed to respond to
exposing 429 million identities
• Half of the applications tested (52 percent) had
security vulnerabilities like the 2016 ‘Drown’ attack6 than
companies that need to check certificates manually.
vulnerabilities, according to Ponemon2
• Three-quarters of the websites had vulnerabilities
• Distributed denial of service attacks took down more
All this means that CISOs and IT security professionals
well-known apps and services, most notably the DYN
need to move faster just to stand still. To get out in front
DNS attack3
requires a new approach altogether.
• Zero-day vulnerabilities reached unprecedented levels,
meaning that relying on signature-based malware
scanning alone isn’t sufficient
• Cybercriminals are now targeting digital certificates4
In other words, it’s getting harder and harder to protect
critical systems and data from unauthorized access
and to ensure compliance with evolving data protection
regulations, such as the new EU General Data Protection
Regulation5, not to mention credit card processing
requirements such as the latest PCI-DSS standards.
At the same time, website security teams need to deliver
business-focused upgrades. For example, more and
more websites feature end-to-end encryption to boost
consumer confidence and get an SEO bump. The launch
of Google Chrome 56 will accelerate this trend. Similarly,
many organizations are switching to more secure SSL/
TLS certificates, eschewing SHA-1 encryption and domain
validated certificates.
As companies
embrace hybrid and
public cloud services
and support an
ever-growing list of
end-user devices,
manageability and
automation are now
top of the agenda
for IT professionals.
3 I DigiCert, Inc.
Challenges with a legacy approach
1. The silos of the lambs
Another example of the risks of poor organization design is
Unfortunately, there is a lot of ambiguity, confusion and
the ‘too-busy’ department. For example, a recent NopSec
a lack of accountability in IT security departments. Two-
report9 found that it took financial services firms an average
thirds of organizations have fragmented security practices,
of 176 days to remediate a security vulnerability. This kind
according to Ponemon7. They are designed around limiting
of delay is largely due to complex manual processes. Yet
job descriptions that focus on things – servers, applications
these companies have big IT departments full of well-
and devices – not the valuable data on them.
meaning staff who are working long days – just like you.
Your data doesn’t care about your divisions and
There is clearly a pressing need for change. The starting
departments. Nor do attackers. And yet everyone is sitting
point is, of course, where you are today combined with
in their own silo and monitoring their own systems. This
best practice advice. For example, Forrester’s guidance
person buys certificates, that person manages servers, this
on building a robust security organization10 or Carnegie
other person looks after endpoint virus protection and so
Mellon’s strawman organization template11. Then there
on. Management and accountability may only converge in
are any number of management frameworks to draw on,
the board room.
such as McKinsey’s well-known 7S model12, which
‘stresses coordination rather than structure in
Attackers don’t limit themselves to servers, end-user
organizational effectiveness’.
systems or email. They duck, dive and weave to get what
they want. Your team should be doing the same to keep
It isn’t necessarily a case of more people, more budget
them out.
or more resources. In fact, a well-designed organization
automatically makes better use of existing resources.
Yet the security of websites, applications and connected
devices is a responsibility that falls on multiple teams. For
Indeed, there is an argument that adding more people is a
example, one team may find a vulnerability but another
mistake. ‘Research shows that every time the size of a city
has to investigate, research or patch it. This slows down
doubles, innovation or productivity per resident increases by
response times, both for prevention and cure. This
15 percent. But when companies get bigger, innovation or
is a case where poor organization design can lead to
productivity per employee generally goes down,’ according
security breaches, class action lawsuits and board-level
to Tony Hsieh, founder of Zappos.
investigations when something goes badly wrong.
Fred Brooks’s classic book, The Mythical Man Month,
Organization is destiny
explains why this happens in an IT context. As more people
The way you structure your team, set its objectives, make
get added to a late-running IT project, the added burden
decisions and allocate responsibility determines the results
of communicating between all the extra people increases
you see. ‘Structure dictates the relationship of roles in an
faster than the extra work they do. ‘Adding manpower to a
organization, and therefore, how people function,’ says
late software project makes it later,’ he says.
management expert Gill Corkindale . ‘An outdated structure
8
can result in unnecessary ambiguity and confusion and
The agile development methodology13 that has emerged out
often a lack of accountability.’
of the software development world offers familiar model
for empowering individuals to deal with rapidly-changing
requirements. Agile may be a useful source of inspiration
to busy IT security departments. Critically, this approach is
adaptive rather than predictive and well-proven inside large
IT organizations.
4 I DigiCert, Inc.
Please complete the form to gain access to this content
