Veracode CEO Sam King says that security can???t be successful, and in fact will become a blocker, if it operates in a silo. She recently sat down for a fireside chat with Mahi Dontamsetti, State Street CTRO, and Jim Routh, MassMutual CISO, to share her thoughts and observations on communicating about security to the Boardﾂ?and the overall connection between the security function and business functions.
She notes that even though there are often designated technical experts on the Board, there is now an increased awareness around cybersecurity, even among the traditionally business-oriented members. So, it???s important to tailor messages to the business functions so that they too can understand the organizations??? risk posture. This doesn???t mean that you should try to make everyone on the Board a cybersecurity expert, but King remarks that there should be a ???baseline knowledge that all Board members have around cybersecurity.??? ﾂ?
Mahi Dontamsetti agrees with King that cybersecurity should be communicated to all members of the Board in an easy-to-understand manner. Dontamsetti goes on to say that sometimes it???s the non-technical experts who ask the best questions or have important insights into cybersecurity. They???re sometimes able to fill in the ???known unknowns.???
Jim Routh adds that Board members are actively seeking out cybersecurity knowledge. ???Board members today go to classes to improve their skill through NACD or other associations,??? he said. ???They’re re-skilling and retooling themselves at a pretty significant pace, so that will give us more Board members with cybersecurity expertise.???
Routh also mentions the importance of level setting cybersecurity expectations with the Board. It shouldn???t be about eliminating all cybersecurity incidents because that???s unrealistic. The goal should be to ???recover quickly when you have security incidents and minimize the business impact.??? And the whole organization needs to work toward that goal. ???Every enterprise at any level of maturity today has to recognize that incident response for cybersecurity has to be a fabric for the entire enterprise. It’s not just a siloed function in IT or in cybersecurity.???
How can you ensure that cybersecurity isn???t siloed? Routh recommends identifying your top 10 cybersecurity risks and making sure that they are well known throughout the company, especially with senior leaders. Resources should be allocated to the top 10 risks and projects and initiatives around those risks should be prioritized.
Not only should you come up with your top 10 cybersecurity risks, but it???s also worth identifying your top 10 business strategies. King makes the point that ???when you’re looking at the top 10 of your business strategies as a company, regardless of whether you’re a cybersecurity company like Veracode or you’re a financial services company, or whatever industry you’re in, cybersecurity has to be in that top 10.??? By making cybersecurity a top 10 business strategy, you ensure that executives and senior leaders are prioritizing risk mitigation strategies and, hopefully, integrating the strategies company-wide.
If cybersecurity is siloed, departments may try to ignore security best practices for the sake of speed. King remarks that without cybersecurity integration, you may hear a lot of, ???We’re super excited about this project, but once we go to the security person there’s going to be all of these different things that we have to be concerned about. And, will we be able to get it done or not????
But cybersecurity integration doesn???t have to slow down processes. If you start your project with security best practices in mind from the very beginning, there won???t be time-consuming or expensive rework down the line.
And how about obtaining cybersecurity resources and budget? Well, King explains that if cybersecurity is one of your top 10 business strategies, there won???t be arguments as to whether or not cybersecurity initiatives should be funded. Cybersecurity won???t be ???taking money??? from a different initiative if it was already determined that cybersecurity is a priority.
To learn more about communicating cybersecurity to the Board, or for tips on integrating cybersecurity best practices throughout your organization, check out the full webinar, Driving the Cybersecurity Agenda with the C-Suite and Boards.
A bitter pill best swallowed with eight gallons of swimming pool water
Something for the Weekend, Sir? Those files I promised you? Oh, I’m sorry, they accidentally got taken out with the recycling. A gull swooped down and snatched them out of my hands. They were lost in a tsunami. No, a forest fire. An earthquake. Actually, to tell the truth, my mum put them in the washing machine.…
Engineers write off GC abuse because Spectre broke everything anyway
In early November, a developer contributing to Google’s open-source Chromium project reported a problem with Oilpan, the garbage collector for the browser’s Blink rendering engine: it can be used to break a memory defense known as address space layout randomization (ASLR).…
Digital transformation continues to accelerate, and with it, businesses continue to modernize their technological environments, leveraging developer-first cloud-native solutions to build, host, and secure their software. At Veracode, we continue to see customers leveraging large cloud providers, such as AWS, as a central platform to conduct these activities. Customers can take advantage of the many native services available from AWS as well as procure and manage relationships with AWS-certified partner solutions, such as Veracode, through the AWS Marketplace.
Which is why we are pleased to announce the launch of our public listing of Veracode Security Labs on the AWS Marketplace. This listing also enables us to sell our full portfolio of solutions through AWS Marketplace Private Offers. Buying through Marketplace creates more buying options for customers and enables AWS customers to quickly purchase and deploy Veracode???s leading SaaS software security solutions while centralizing billing through AWS. For AWS customers participating in AWS??? Enterprise Discount Program (EDP), purchasing Veracode through the marketplace can drive additional benefits and potential savings with AWS as a portion of the cost of Veracode can be applied towards the [your] overall annual spending obligations with AWS.
Since launch, several large customers in North America and Europe were successful in purchasing Veracode???s solutions via the AWS Marketplace, and are recognizing the variety of benefits offered to them by AWS.
When it comes to building effective and secure applications on a tight schedule, security tools need to be flexible enough to integrate and automate seamlessly into existing processes and workflows, but capable enough to get the job done. Through Veracode???s cloud-native application security (AppSec) solutions we aim to enable the speed, automation, and top-level scanning tools needed to write more secure code and continue hitting deadlines.
With Veracode???s solutions integrated into established processes, AppSec quickly becomes a competitive edge. In addition to the right scanning and testing tools embedded into critical stages of the software development lifecycle, Veracode enables organizations like yours to improve customer confidence through enhanced security, reduced risk, and proven compliance.
AppSec management and measurement is simplified through reliable metrics, progress demonstration, and clear goals. In addition, Veracode???s 1% false-positive rate means less time spent chasing the wrong flaws and more time ensuring your DevSecOps efforts stay on track to keep projects on schedule. It also means a shortened sales cycle that keeps businesses one step ahead of the competition.
There???s no need for lengthy security questionnaires with an established and functioning AppSec program, and sales are not lost due to security concerns from prospects. When Veracode???s cloud-native SaaS platform is in place, it???s possible to start scanning on day one to begin proving compliance and ensuring the quality of your code without missing a beat.
Secure software from the start
Ready to get started integrating Veracode solutions into your AWS environment and improve the state of your organization???s AppSec? Visit our page on AWS Marketplace for more information, and learn about how our tools integrate with AWS here.ﾂ?
Uh huh… it’s a good time to be in enterprise security analytics
Tired of keeping up with security alerts from your system? Worried that your Security Operations Centre (SOC) is getting deluged in low-level reporting? Fear not: Imperva has produced an aggregator aggregation product that sits over the top of all your other alert-generating security software.…