Major data leaks are on the rise and, as of Q1 of 2020, according to a recent report, there was a 273% increase in records exposed as compared to Q1 of 2019. How is that possible? Are attackers getting smart enough that they can circumvent even the most sophisticated security controls and countermeasures?
Such an increase in data leaks can only be explained by the fact that never in history have we had such high speed technologies and short release cycles in development. The amount of software that businesses of all sizes release to the market is astounding. It’s like counting absolute fatalities due to transport safety issues without placing that in the context of passenger miles travelled.
Enhanced tooling and automation play a central role in any security strategy. Whether you are an information security professional (or not), the last few years you might have heard the terms “shift-left”, “automation” and “security guardrails”. From a security strategy perspective, the increased attention and investment into automating the toolchain for developers is bringing more innovative solutions. The side benefit is a way bigger portfolio of tools, handed over to developers on a continuing basis.
The Race to Stay Ahead
In face of this new information technology reality, most companies are in a rush to onboard security tools that automate some security gates and keep the DevOps workflow from slowing down. Meanwhile, development teams are under increased pressure to deliver software at a steady pace never seen before while integrating all these tools into the DevOps environment (in addition to handling the findings).
The Human Aspect to Cyber Security
What about the human aspect of cyber security? While automation is a key factor, it will not help if you don’t apply the proper rule sets for code scanning tools or choose to simply ignore the findings on the basis that you don’t fully understand the risks associated with that finding. Training employees in new technologies and tools is helpful, but it will not have the expected impact because new knowledge tends to fade away quickly if employees are not fully convinced about the importance of security and see security as yet another backlog item.
Establishing a Strong Security Culture
This is exactly where corporate security culture come into play. As management expert Peter Drucker famously stated, “culture eats strategy for breakfast“. Establishing a security culture is much more than enabling the workforce to apply security best practices, use the required tools or follow security processes. Establishing a security culture is about engaging people at all levels of the company to develop a security mindset, creating an environment which promotes sharing and caring as opposed to blaming and shaming. Ultimately, it’s about enabling employees to feel excited and proud of what they can accomplish.
Building a strong security culture is a long and complicated endeavour that many companies fail to do properly. At SAP the Security Enablement and Engagement team, part of SAP Global Security, has taken this challenge as its mission and we have been building a large security community at SAP and thereby developing a strong culture for many years. This effort encompasses company-wide communication channels, year-around security trainings and workshops and a number of events to attract and engage the workforce as the Security Escape Rooms and Capture the Flag events.
October is Cyber Security Month around the World
October is the month where security multipliers, developers and employees learn, teach and share cyber security knowledge at SAP. Don’t miss the opportunity to refresh your security awareness, improve your skills and spread the message to your fellow colleagues, because even if automation is crucial, security is all about you.