Cybersecurity is no longer isolated to the security operations center (SOC), as threats trickle in from new hires, poor governance policies, or vulnerable third-party vendors. What was once assigned as an SOC responsibility now extends to roles across the organization, from Human Resources and accountants to front desk personnel.
The line between what is or isn’t considered a security issue also continues to blur as technology inundates business operations. However, security frameworks like the Software Development Life Cycle (SDLC) which defines specific plans to integrate security from the beginning, can still be applied to what normally appears as a non-security related issue.
Following the SDLC, organizations can break down complex projects into five simple categories: plan, design, develop, deploy, and maintain, explains Mathew Everman director of information security at the Center for Internet Security. This will facilitate embedding security into the company culture.
Everman will dive into the concept during an RSAC conference session in San Francisco this month to help “break down the walls” of people trying to fit into security or governance boxes, a problem he experienced personally.
Dangerous Curve Ahead
Everman developed the concept after observing the talent acquisition process. While it’s commonly managed by HR, other teams are involved, such as IT, governance, and legal.
New hires and former employees can introduce security risks into the environment. For example, in 2024 KnowBe4 accidentally hired a North Korean threat actor as a software engineer who appeared to have a legitimate background check.
Risks aren’t confined to the onboarding process. When organizations terminate employees, they often forget to revoke access, leaving accounts wide open for attackers to secretly seize.
In the talent-acquisition use case, Everman broke down the process into categories that aligned with the usual hiring workflow – including job description, job posting, interview, onboarding, employment, and off-boarding. To address threats similar to the one KnowBe4 experienced, he suggests doing a threat profile so companies can determine “how dangerous is this role to my organization if I fill it with the wrong person,” he says.
Talent acquisition processes can also follow security teams’ threat monitoring approach to reduce risks. At previous companies, Everman added home IP addresses to the VPN block list following employees’ exits While the block list could be easy to bypass, organizations may not want that employee coming back on, especially if they are disgruntled.
Security culture training is another main component of the talent acquisition process. Everman recommends that organizations gather open-source intelligence once someone is onboarded, monitoring their social media and online activity to verify if their idea of acceptable risk or compliance aligns with the company’s.
A new hire may show off their fresh ID and announce on social media they scored a new job. To some people, that just comes across as excitement. But to Everman and his red team, that’s an opportunity to steal the photo ID and do some damage. Like other seemingly non-security related issues, it may seem innocuous but “there is a danger there,” he says.
“Now more than ever, security and governance teams are spread,” Everman says. “Business hasn’t changed but emerging tech like AI is moving so quickly, implementation for things moves so quickly. Things that we used to be able to have a reactive approach for may not be in the best interest now.”
‘It’s a Weird Way to Think of Things’
The way organizations view threats is also shifting. People jump to security when they think of a threat or cyber incident but it’s a “weird way to think of things,” reveals Everman. Cybersecurity threats aren’t the only risks draining enterprise time and money, he adds.
A threat could constitute something that compromises a company’s reputation, or it could be a privacy threat. Approving a vendor and then deploying the new tool without performing all the checks and balances could slow down an enterprise or hurt cybersecurity professionals if they don’t catch a problem before it reaches production.
The more integrated privacy policies, risk appetite, and cybersecurity are in these enterprise processes, and early “the better the chance you’ll be able to be confident that you’re putting something that is secure out into the world,” Everman says.
Stop Butting Heads
Everman implemented the approach internally. It’s led to better conversations than ever with teams, he says. Conversations have expanded beyond just IT teams to project management teams as well, because it’s important to be included in those talks early on, he adds.
“We’re integrating our security components into their planning phases, so they slot things in where they’re supposed to go,” he says. “Who we’re talking to is changing the most. We’re talking to major decision makers and those conversations that used to be for the CISO.”
The Center for Internet Security must be on the edge of whatever is coming out at any given time, he says; to provide that, teams need to be as integrated into those processes as they can. Even teams Everman and his team used to “butt heads with” are more open to integrating when approached with a plan — even developers, who have a reputation for clashing with security.
“We’re trying to fit into their workflow,” he says. “If I fit seamlessly into your workflow because I know what it is, you won’t see me as friction anymore.”
Source: www.darkreading.com…