According to IDC research sponsored by SAP, only 33 percent of surveyed companies have a formal vulnerability and management process to remediate security flaws in enterprise applications. However, almost 40 percent of respondents said eliminating security vulnerability was a top priority.
That gap was among several fascinating reveals in a recent conversation I had with two security experts during a recent webinar I hosted, “Securing the Intelligent Enterprise.”
Here are my top three takeaways from our talk:
Make Security a Group Effort
Robyn Westervelt, research director of Security and Trust at IDC, said that longstanding problems, such as managing encryption and addressing application vulnerabilities, are catching up with companies as hybrid and multi-cloud environments become the norm. What is new is how IT security is not alone in addressing these challenges.
“There is this lack of visibility and control felt not only among IT security personnel, but also with line-of-business IT and operations personnel,” said Westervelt. “Security is increasingly working with data analysts and data owners — even on the issue of data quality. And, the regulatory environment is driving enterprises to address privacy and trust like never before. They have to answer two most important questions: where are my most critical assets and who has access to them?”
Do Not Overlook Security Basics
Given the growth of high-profile data breaches and cyberattacks, you would think companies would not get caught without fundamental security measures in place.
Westervelt disagreed. She shared how one consumer goods manufacturer had no modern backup systems when it was hit with a ransomware attack. The massive losses cost the company millions.
“They couldn’t run production lines…and senior management had to call in retirees to figure out formulas for several longstanding products,” she said. “They now have a chief information security officer building a security program from scratch — beginning with authentication and identity and access management, and moving straight through to data security, encryption, and more.”
With data from many devices across different systems, both inside and beyond organizational walls, it is no wonder that over 40 percent of IDC survey respondents said they were challenged to securely manage information access and integration. Still, that is no excuse for not taking preventive steps, such as patch updates.
Ralph Salomon, vice president of Enterprise Security at SAP, described how one customer recovered quickly from a ransomware attack. “The head of infrastructure called me to say, ‘thank you very much for kicking our butts to focus on getting our patches implemented on time in our environment because it saved us so much effort.’ We had proper backups available to restore data very fast,” he said. “Implementing application patches adequately is very important [for] ensuring basic [security] hygiene.”
Commit to Risk-Based Security Framework
Both experts agreed that identifying the most critical security risks and allocating resources appropriately were crucial for every company. Westervelt said the most successful companies commit to a security framework. She directed the audience to several trusted frameworks that hundreds of thousands of developers are already following.
“I’m a believer in secure software development and injecting security in at the earliest stages because bolting on security is costly after the fact,” she said.
In a cloud-based world, Salomon said it is vital to consider the cascading potential for threats across an organization’s ecosystem. Attackers can enter an organization through customer or partner systems. This is factored into SAP’s overall security strategy.
“We are engaging with our customers [by] looking at the key requirements so we can extend these demands across our portfolio,” Westervelt said. “We’re constantly evolving security. Everything is linked to our company strategy. Our purpose is to make the world run better and improve people’s lives by securing the intelligent enterprise for customers and SAP.”
Foiling cybercriminals and protecting private data will only become more difficult. The replay details important advice that includes what every company should demand from their software vendor when it comes to security, and how to thwart the most common breaches that continue to ensnare unprepared organizations.
Follow me: @smgaler