Businesses have invested a lot of money, effort and technology into addressing cybersecurity challenges in the wrong way. They have been covering issues by applying bandage after bandage rather than attacking the root causes. Ironically, we have reached a point in cybersecurity where the layers of patchwork protection we have been adding are becoming the root cause of the issues ever more frequently. And while organizations are clearly investing in necessary cybersecurity technology, investments in other critical areas such as automation of key proactive security processes and shifting compliance left into the design and early development, are significantly lagging behind.
Overreliance on perimeter defenses has created larger attack surfaces for already large targets, such as financial institutions. As the regulatory landscape grows more complex by the day, organizations that do not begin to automate and streamline compliance will be faced with rising costs that will come back to their clients.
It is time for organizations to rebuild the foundation of security and compliance by embracing automation, creating and deploying secure software and addressing the challenges of implementing requirements that are not written for engineers.
Compliance is a moving target
The days are over when software development could take a year or two between major releases. Organizations in every sector are under pressure to develop and deploy software swiftly, sometimes in a matter of days. It’s not that organizations don’t want to implement security early or achieve compliance by design; they just don’t have the resources needed to keep track of everything that needs to be done from the start on their own while also remaining competitive.
No analyst that I am aware of has predicted that in 10 years, compliance problems will be solved by technology. Compliance is a people and process problem. Look at Equifax and Capital One, for example. Both companies had policies in place for securing their technology that, if implemented correctly by its users, likely would have prevented their breaches.
This is where automation truly shines. When we consider how compliance regulations are written, compared to how software is written, it becomes even more understandable how an organization might experience a lapse in compliance. It is unreasonable to expect software engineers and technologists to fully understand regulations that were written by policymakers and implement them into software.
Financial institutions have a particularly onerous set of compliance obligations, ranging from Payment Card Industry Data Security Standard requirements to the Sarbanes-Oxley Act, with international or regional requirements, such as the EU’s General Data Protection Regulation and the California Consumer Privacy Act, compounding the burden. Only the health care and pharmaceutical industries come close in terms of regulations. And those regulations are regularly updated or altered, requiring institutions to continually adjust their software to meet the standards.
Verizon’s 2020 Data Breach Investigations Report found that nearly 90% of all data breaches are financially motivated, up from 71% last year. For that reason, many retailers contract out their financial transactions in order to limit their liability, leaving that job to banks and other financial institutions. Amid pressure from boardrooms and the general public to ensure the integrity of transactions, costs and complexities of compliance continue to increase. The costs of noncompliance can be overwhelming. Data breaches in the banking industry cost institutions an average of $18.3 million, according to a study by Accenture and the Ponemon Institute. Significant breaches can cost even more.
Fixing the foundation
The practice of layering security measures on top of one another, often at the perimeter of the network, has become commonplace. Web application firewalls were designed to buy time for developers to fix issues that might have slipped them. Nowadays, they are becoming the first line of defense and are either ineffective or even worse, becoming a source of entry for attackers. However, each layer adds another level of complexity that can be used against an organization by attackers fishing for accidental openings in the network. And this layering does not address the problems in the foundation, which was put in place in another computing era and isn’t built to handle the speed and scale of modern networks.
For financial institutions, security postures are driven by compliance with regulatory mandates. Institutions that don’t automate and streamline their compliance will continue to leave themselves exposed to breaches and the considerable costs in terms of both money and reputation. Organizations can’t afford to wait solely for a software fix.
These financial organizations especially need to focus on remaking their security foundations so they are built for the current computing environment. This won’t happen overnight, but it also isn’t as complicated as it sounds. By building automation into the foundation, organizations can meet their compliance requirements at the speed of business, better ensuring the integrity of their data. And they can avoid the habit of simply layering on new technologies, which increases complexity, expands access and ultimately can leave them vulnerable to attack.
About the author
Ehsan Foroughi is the vice president of product at Security Compass. He is an application security expert with over 13 years of management and technical experience in security research. He led the Vulnerability Research Subscription Service for TELUS Security Labs. As an entrepreneur, he has also served as the founder and CTO of TELTUB, a successful telecommunications startup. Ehsan holds a M.Sc. from the University of Toronto in Computer Science, a B.Eng. from Sharif University of Technology, as well as CISM and CISSP designations.