A lot is changing in the business world as organizations continue to navigate uncertainty. Every change has the potential to increase your risk profile. Rarely is this a gradual shift — many businesses have already made abrupt pivots around budgets, expenses, staffing, and more — leaving security teams with an entirely new set of circumstances around how they collect, manage, and protect sensitive data.
In this blog post, we’ll look more closely at a series of scenarios that are affecting hundreds of organizations on a global scale — in this year alone, Big Tech has cut more than 150,000 positions, and companies like Disney have announced budget cuts that amount to $5.5 billion.
Troubling as these stats may be, they’re a signal to security teams that changes are coming, and there’s no better time to prepare for them than now. Rather than zero in on the uncertainties, we want to highlight a few points security teams can fall back on as they try to re-establish their organizations’ risk profile, tolerance, and compensating controls.
Scenario 1: A healthcare enterprise has to slash department budgets and reduce spend on vendors and tools.
Threat: Cutting ties with vendors can damage the confidentiality, integrity, and availability of sensitive information.
In an ideal world, your team will have a say in which vendors should stay because they are critical to maintaining your infrastructure — but that’s not always what happens. Pressed for time, department heads can make siloed decisions on what tool or vendor needs to go, often not considering how that impacts wider data management.
Thankfully, most vendors will have a grace period of up to 3 months to accommodate data transfers back to your internal systems. The tricky part is trusting the vendor to dispose of your data once your contract expires, and doing so responsibly. Whatever the scenario, you need to get written confirmation that the vendor has done their part in keeping your data safe.
How you get this documentation can vary based on the type of vendor, data, and contract in place, which is why it’s important to have termination and exit clauses agreed on as part of your vendor review processes.
But what are your options if there is no information in the final paperwork? You can make a formal written request to the vendor to “shred” your data (both for digital and physical formats) and provide an attestation or certificate to confirm this. If you have cybersecurity insurance, make sure to consult the policy’s fine print for any other steps you need to take in order to stay covered.
Threat: Departments quickly switch to more affordable vendors, which prompts a rushed risk assessment.
It goes without saying that these changes will stress test your company’s vendor review processes — in some cases, department heads or employees might decide to introduce shadow IT because they perceive vendor assessments as too slow for their deadlines.
While individuals might think this is the best move for the company now, they are inevitably putting its reputation and finances at considerable risk. HIPAA compliance is not a voluntary step for healthcare companies — it is required by law, and risk assessments are a crucial part in making sure PHI stays safe. Communicating this clearly to the entire company is the first critical step a security team needs to take when handling this threat, and it should be a message communicated from the top down.
And yet, unexpected situations call for some agility, which brings us to our next recommendation: as the company is cutting back on expenses, your team has to cut back on unnecessary red tape. If there is a step in your vendor assessments that can be automated or removed, now is the time. Communicate what information employees should collect from new vendors. A ticketing system can help move things along more quickly, clear up questions, automate updates, and store important information for later re-evaluation. Here’s how we recommend breaking down the process for fast and consistent results:
You can download the full resolution image here.
Scenario 2: A SaaS provider sets an ambitious development roadmap to beat competitors.
Threat: Dev teams ignore or rush administrative controls and established security processes.
From an organizational point of view, you might see a disconnect between security best practices you’ve established, and the actual work the dev team delivers. This could be from demoralization, fear, reluctance, or a combination of all three. Changes to business operations will take their toll on people — who also happen to be your biggest security vulnerability. Whether intentional or not, negligent behavior is likely, which can disrupt data CIA, or even lead to leaks.
Falling morale was something we observed in last year’s State of Pentesting report, although under different circumstances (the Great Resignation) — more than 50% of respondents from both security and development teams were considering quitting their jobs because of limited resources and mounting pressure.
When asked what could change their minds, they highlighted a need for a stronger focus on their personal and professional development (59%), a stronger community feeling while their company was primarily working from home (55%), and additional compensation options, such as bonuses or stock options (44%).
Team morale is not something a security control can fix, but this is where leadership makes a difference. Team leads have to align on what’s achievable, what’s negotiable, and what really can’t be done, and support their people in achieving the best work they can. In an interview with our CSO, DevSecOps Transformation Architect Larry Maccherone shared the following advice:
“Try to hook into your development teams’ natural desire for engineering excellence. They want to be proud of their work, and that’s difficult if they know it includes security vulnerabilities.
At Comcast, I would lead DevSecOps transformation one engineering team at a time. I’d start with a workshop for each team, and would only go ahead if the product owners and managers are present. If they weren’t, I would send everybody away and reschedule.”
Threat: Insecure code makes its way into new features.
Seemingly improper code can quickly find its way into either testing environments or production. Lack of security awareness and tight deadlines can cause errors where a developer uses prefabbed code from a repository, thinking it must be secure, or not having the time for due diligence because the sprint is about to end. If stretched, your security team can struggle to keep up, leading to new vulnerabilities in your application. A pentest from a third party can help catch those mistakes and compensate for team blind spots, along with other security controls.
Here’s some advice from Jay Paz, Cobalt’s Senior Director of Pentester Advocacy & Research, who in a past role was the only security engineer at a company with more than 400 developers:
“There wasn’t a huge focus on security. The way I could help development with some of these issues was to be embedded in the team, have access to code and PRs. I’d offer template code, review their already submitted PRs and really be a part of that team.”
This drove noteworthy results:
- Alleviated some of the pressure on developers by helping with code;
- Motivated the dev team to work on security issues because he supported them with their goals;
- Encouraged participation from developers and product managers, who became more involved in how secure their product was;
Finally, we wanted to explore the security risks around a third cost cutting measure organizations often take: workforce reduction. Setting aside the emotional impact (which can be challenging in and of itself), teams should focus on the following threats to their operations:
- Loss of tribal knowledge if the organization does not have a strong process documentation culture
- Drop in morale leading to mistakes and not following proper protocols and processes
- Insider threats that compromise physical security and intellectual property
We addressed low morale earlier in the post, and more focus on documentation (although quickly considered tedious) can help minimize losing critical knowledge that keeps the company’s wheels turning.
As for insider threats, as unpleasant as the topic might be, it is still a risk teams should account for. Best practices include deactivating devices remotely, changing system passwords, and revoking access to both physical and digital workspaces. To further stop data exfiltration, teams can implement around-the-clock system monitoring, privileged access management, email filtering, training and unchangeable data backups.
Change is challenging — but not impossible to navigate. Security leaders should continue advocating for their teams’ work, guiding the organization on how they can move forward without escalating their risk. As disruptions take their toll on energy, morale, and focus, this is the time to demonstrate strong and compassionate leadership, and support your people with more training opportunities, stronger community feeling, and wider recognition of their efforts. And if circumstances call for more robust risk assessments, Cobalt’s team can give your team the support, expertise, and vulnerability insights it needs to move forward.