“As cyber threats evolve, we need to evolve as well.”
~ Christopher A. Wray, Director, FBI
“Cybersecurity is a dynamic space. The user faces different challenges every year because there are always new applications and data.”
~ Ken Xie, CEO, Fortinet
“Securing applications requires agility and insight on application behavior, network, workloads that run them, and ultimate the users and devices that interact with them.”
~ Cisco Solutions, “What is Application Security?”
“We always take full ownership of the security of our applications.”
~ Almost no enterprise application owners, anywhere
There’s a cybersecurity problem brewing that many organizations are ignoring at their peril. Throughout the history of information technology, cybersecurity has always been thought of as a “security team problem.” “Let the CISO’s [Chief Information Security Officer’s] group and the network organization folks worry about cybersecurity,” the thinking goes. “This way the enterprise application owners can focus on their own core competencies.”
This approach worked well for everyone involved for a very long time. The cybersecurity team focused on cybersecurity, without needing to know or care about the enterprise applications. And the enterprise application owners were happy to not think about security, assuming that they had all the protection they needed through the network.
Things have changed
Now, however, we are at a crossroads between cybersecurity and enterprise applications. The old model of “perimeter defense” is no longer sufficient. The threats have evolved, and organizations need to evolve their approach if they want to keep their enterprise applications secure.
Unfortunately, many have not yet done so.
While most enterprise application owners still assume that the cybersecurity team is keeping them safe, it is readily accepted in the cybersecurity world that sooner or later you will be breached via your network. Yes, network security, and everything that your cybersecurity team does is still extremely important. But the sophisticated attackers out there and today’s vector of threats just point to the fact that there will be bad actors in your network at some point in time.
What do these bad actors want? Your data. How are they trying to get this data? Through your enterprise applications.
What does all this mean for your enterprise application teams?
In recent years the cybersecurity world has evolved to things like Zero Trust models and SASE (Secure Access Service Edge). In this new world, each of your cyber assets should be viewed as an “island” that is responsible for its own security. In addition to the network-level security that’s provided by the cybersecurity team, your enterprise application team needs to ensure that security is provided in the applications themselves, also.
Creating this security requires a multi-prong approach. Your enterprise application teams need to:
- Have the right people on board. Your teams of enterprise application experts need to include someone (or multiple people) focused on security. Today most teams do not have this.
- Complete a Crown Jewels Analysis. Out of all of the hundreds of cyber assets that your organization has, which are most important to the business? A Crown Jewels Analysis involves ranking all of your cyber assets, from most to least critical.
This analysis includes understanding your core data. What is this data, what is its value to your organization and where does it live across the enterprise (quite often data lives in multiple applications)?
Unfortunately, most enterprise application owners do not think in these terms and/or do not have the skill set to do this analysis. - Protect your most critical cyber assets. Once you complete the Crown Jewels Analysis you need to ensure that the bulk of your teams’ security efforts go to protecting your most important assets. This exercise goes across the board for everything from access control in the application to API security mechanisms, external integration security and more.
- Work with each application’s built-in security functions. Of course, the enterprise application vendors themselves are also including cybersecurity in their products. However, your teams need to understand that in many cases what is provided is not sufficient. Each application’s security capabilities need to be configured to meet your specific needs, and these capabilities may need to be augmented with additional technical solutions that are specific to your assets.
Of course, keeping an application secure is not just a matter of keeping “cybercriminals” out. It also means having adequate internal program change management controls to ensure that program and data changes are identified, tested, authorized and implemented appropriately. And properly configuring access controls to the app itself, to adequately restrict internal access to the appropriate personnel. In the case of your financial applications, failure to take these actions can create the sort of “material weakness in internal control over financial reporting” that must be reported to the Securities and Exchange Commission in your quarterly 10Q filing.
Where can you turn for help?
If you realize that the answer to the question, “Who is keeping your enterprise applications secure?” is “Apparently, no one, because what our cybersecurity team is doing clearly isn’t enough,” we can help you complete a Crown Jewels Analysis and implement the recommended multi-pronged security approach.
CIO Professional Services has a proven blueprint for an architecture specific to each asset type that defines the key security concerns in that application and methods for making that asset more secure. We can help you get this blueprint in place, identify security techniques that your enterprise application owners need to develop, help ensure business and IT alignment (to avoid problems like those mentioned above) and more. Give us a call. We’re here for you!
Contact CIO Professional Services
About Colin Carmichael
As a seasoned CIO, Colin’s core belief is that IT adds significant bottom line value to a business; his job is to find ways to make that happen. Known for bringing a blend of hands-on expertise and big-picture visionary thinking to the table, Colin has driven many large scale transformation programs across multiple disciplines in ERP, CRM, Cloud, Operations, SaaS and Cybersecurity.
About CIO Professional Services
Based in the San Francisco Bay area, CIO Professional Services LLC (CIOPS) is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.
