Volatile economic conditions and shrinking budgets are leaving cybersecurity professionals stretched thin, opening organizations to cybersecurity threats. Enterprises can’t take necessary security precautions given smaller teams and slim budgets, resulting in higher chances of cybercriminals exposing vulnerabilities. Disruption, transformation, volatility — whichever keyword fits your style, it all points to one fact: Change is the constant security teams have had to live by for years, and organizations need to be proactive in strengthening their organizations’ security postures.
3 Steps to Better Cybersecurity
- Invest in a DevSecOps culture.
- Think like a hacker.
- Invest in cybersecurity tools and talent.
1. Invest in a DevSecOps Culture
Traditionally, security and developer teams are siloed away from development and ops, resulting in communication gaps as well as security vulnerabilities within the software development life cycle (SDLC). With the adoption of remote work environments, communication problems and mismatched priorities can cause delays in software development, exacerbating problems. So, integrating security from the beginning can alleviate the pressure and help both teams become more efficient in the remediation of vulnerabilities.
DevSecOps is a cultural shift that is essential to protecting systems in an evolving threat landscape. According to a study entitled “The State of Vulnerability Management in DevSecOps” from Rezilion and the Ponemon Institute, more than half of the respondents have adopted automation as part of their DevSecOps approach. These organizations say that this practice makes a difference in the time consumed by vulnerability management. In fact, 60 percent of these respondents say that automation has improved remediation times.
When teams feel overwhelmed with their workloads, vulnerabilities can start to slip through the cracks. By fostering a culture of sharing and collaboration, both developer and security teams can remediate faster, shortening the window for exploitation and creating a more agile team. By contrast, ignoring exploitable vulnerabilities can lead to breaches and ultimately reputational damage, affecting the bottom line.
2. Think Like a Hacker
In managing a cybersecurity program, it’s always better to be proactive than reactive. With a proactive mindset, companies can be forward-thinking in mitigating vulnerabilities and streamlining organizational processes and access controls. In fact, according to OWASP Top Ten, broken access control is listed as the top security risk. The “assume breach” mindset puts security professionals in the position of a bad actor. Proactively asking, “If I have this set of credentials, how far can I go?” helps teams to shore up attack vectors before they’re exploited.
Another way to proactively prevent breaches and build a stronger security posture is to work with white hat hackers. Although people often think of security as a technical issue, the threats and inner workings of attacks are often deeply rooted in psychological tactics. Security is just as much a human problem as a technical one. Getting inside the mind of a hacker is the best way to see how systems can be exploited. Gaining an outside perspective is critical to preventing breaches and bolstering security because this mindset allows your team to objectively view vulnerabilities and provide recommendations for improvement.
At Cobalt, we work with a group of vetted cybersecurity professionals called the Cobalt Core. They view vulnerabilities from a hacker’s point of view. Then, they can pinpoint faults in internal systems that might not be suggested first by the teams themselves.
3. Invest in Cybersecurity Tools and Talent
Despite rampant budget cuts and layoffs, threats aren’t stopping any time soon, and malicious actors taking advantage of slimmer teams. According to Cobalt’s State of Pentesting Report, 63 percent of cybersecurity professionals say that their department has had its budget cut already in 2023. This reduction means security teams can’t pay or support as many staff.
Further, in the last six months, 77 percent of respondents say their department has conducted layoffs, and 63 percent expect their department to do so in 2023. Though many organizations are looking for short-term solutions to alleviate the pressure of economic uncertainty, now is actually the most vital time to invest in proactive cybersecurity measures.
Additionally, the rise of generative AI has opened up additional attack vectors and risks. Cybercriminals can use ChatGPT to create malware faster, enabling less experienced hackers to develop more advanced programs to steal information.
For instance, AI chatbots on a business’s site have access to a lot of data. This access can have the unintended consequence of the chatbot having access to sensitive, private, or confidential information. For example, a nefariously motivated person interacting with the chatbot may be able to convince it to share this information, bypassing intended access controls.
Investing in cybersecurity talent can quite literally pay off in the future. By expanding the talent pool and offering apprenticeships and mentoring opportunities, leaders can build a strong team with highly qualified candidates. By making efforts to close the cybersecurity talent gap and empower more people, leaders can implement a successful security team.
Additionally, leaders should take a closer look at their security tech stack and analyze the capabilities of the tools they already have. Oftentimes, budget constraints can limit innovation and access to new technologies, but vendors are consistently building new features to retain their customer base. Optimizing the security tech stack can be one of the most useful ways to strengthen business security posture, especially during times of economic uncertainty.
Many organizations educate employees on cybersecurity best practices to avoid social engineering tactics such as phishing. With more sophisticated attacks and generative AI capable of creating malicious code, these attacks are only going to become harder to detect and more commonplace. As technology evolves, cybersecurity education is crucial in battling threats and needs to occur on a regular basis. For example, although employees may be familiar with phishing, whaling focuses specifically on high-profile targets such as CEOs or CFOs rather than on large groups within companies. These threats can be even more detrimental since leadership often has more access to classified information and are more likely to be involved in conversations about budgets and financial data.
Every person within the organization, no matter their title or role, is responsible for defending the intellectual property of the company. Empowering employees with information and instilling them with the knowledge to recognize and know whom to notify of any suspicious activity can be vital during threat detection. From the most technical details of attacks to psychological tactics, a holistic cybersecurity education can proactively prevent threats.
Don’t Get Caught Sleeping on Cybersecurity
Business security posture needs to evolve at the pace of new cyber threats. When leaders prioritize security through a people-centric approach, whether with cybersecurity awareness, streamlining workflows with developers and security teams or retaining talent, they’re already one step ahead of the competition. Security may seem like a highly technical practice, but at the end of the day, people are at its core. Especially when it comes to the psychological aspect of phishing attempts, getting inside the mind of a hacker can be one of the most valuable assets for organizations to employ when starting to mitigate their internal security systems.
Leaders have to push their organizations to be agile, especially in a threat landscape that is constantly evolving. Efforts to maintain a strong security posture are never complete, and when leaders implement frameworks like the ones I’ve described here, they can be better prepared for the latest threats.