For the past 30 days, you’ve likely been inundated with topical reminders about the importance of cybersecurity in all its shapes and aspects. Now, as Cybersecurity Awareness Month draws to a close, all that noise around security should subside – and that is actually a good thing. Allow me to explain.
Too much information?
Cybersecurity is a complex and multi-faceted field, with each segment additionally sprouting its own classifications and acronyms. When awareness month rolls around and everyone starts shouting at once, it can get pretty noisy, making it hard to pick out the information you actually need. Awareness is great, but I think we can safely assume that everyone (and their dog) is now aware that cybersecurity is important. The real challenge is to know which bits of cybersecurity you need to look at and how to turn all that awareness into security improvements for the real world.
Application security is probably one of the noisiest areas of cybersecurity today, and in more ways than one. Looking at the technologies and offerings, you get a bewildering array of acronyms and vendor claims. Once you get down to specific products, you discover that they vary widely in the quality of results they deliver and, all too often, users spend most of their time sifting through false alarms and other irrelevant information. This relentless alert noise leaves security professionals reeling from digital tinnitus – stressed, overloaded, and burning out as they tread water without visible effect.
The heat is on for cybersecurity awareness
At the same time, organizations have come to realize that hoping for the best is no longer a viable strategy for web application security. In 2021, web applications were involved in 70% of data breach incidents, and the average cost of a data breach increased to $4.35M. And let’s not forget that a data breach, while always a nasty incident, is one possible consequence of a successful attack, with denial of service, loss of data, loss of reputation, and legal liability not even coming close to exhausting the list of fallout options.
There is no question that translating the right AppSec acronyms into specific products and chaining them together into an effective security program is now a must for any organization. But while the pressure to do something is definitely on, deciding on the actual technologies, products, deployment methods, and workflows that will help a specific organization go from requirements to measurable results is a daunting and often confusing task.
Putting the people first
Here’s a refreshingly simple approach to guide you as you navigate the minefields of cybersecurity: follow the path of least noise for your employees. The old truth that security is about people holds more than ever, so whatever you are planning or evaluating, ask yourself whether that technology, product, or process will deliver quality information to your staff while minimizing alert noise and communication overhead. As you add to your toolchains and workflows, follow the path of least noise to get exactly the right security data to the right people so they can act on it without delays and burnout.
Even the best tools don’t run and maintain themselves, nor is it magic that gets even the most accurate recommendations implemented. Putting your people first has the immediate effect of tuning out the intense technology focus and instead thinking about who gets what done. Research shows that security professionals can spend up to four hours a day addressing security problems that could have been avoided, with one-third of security and development leaders admitting to having managed issues during their time off. All this takes a toll on mental health and work-life balance, especially when more work doesn’t necessarily mean better security.
Accurate AppSec starts with DAST
Applying this to web application security, you’re looking for the quietest path to maximum web security benefits: here’s an important security defect in your application, here’s how to fix it, and here’s your bug ticket. No false alarms, no miscommunications, no manual double-checking – only specific tasks that bring measurable security improvements. The right tools are important but not as important as having the right people in the right places. Security champion programs are a good example of a people-first initiative to cut down on back-and-forth and bring security expertise closer to development.
A recent Invicti survey really brought home the importance of delivering all the information that matters and none that doesn’t, as a staggering 97% of organizations admitted to mistaking a real vulnerability for yet another false positive at least once a month, with 82% doing this once a week. This is why every AppSec program needs to include a high-quality dynamic application security testing (DAST) solution to cut through the noise and immediately home in on exploitable vulnerabilities. When integrated into existing development and testing tools and workflows, a good DAST product can allow you to scan at selected stages of the development pipeline while also scanning your production apps as often as you need – all with little to no manual work required.
From awareness to action
With the cybersecurity talent shortage still looming large even as threats mount, common sense dictates that you should give your teams exactly what they need – and nothing they don’t. This means providing the right tools, training, and processes while cutting out the noise and unnecessary overhead to minimize stress and maximize efficiency. So now, with a month’s worth of cybersecurity awareness under your belt, follow the zero-noise path to find the approach that works best for your unique organization – and your hard-working staff.