Share this article on:
If organisations acknowledge the critical role of cyber security – and they should – security teams shouldn’t be caught in a hustle for funds, Stephen Gillies at Fastly, writes.
The incontrovertible truth of operating in a digital-first business landscape is that cyber security is more critical than ever. It seems like a safe assumption that all businesses digitally transforming would take heed. But, as ever, things aren’t quite so cut and dried.
The criticality of cyber security still holds true. Digital has dominated IT strategies over the past two years but operating securely in a majority or fully web- or cloud-based environment means living with elevated risk tolerances and discomfort for security teams. I think we can all agree on that.
Where it starts to unravel, however, is that security teams may be living with elevated discomfort for longer than they need to or should.
Recent research by Ecosystm for Fastly shows that application security often comes off second in the competition for attention and funding.
Over half (53 per cent) of Australian IT leaders say they’re prioritising “other digital transformation projects” above application security in 2022, while 39 per cent say “other business initiatives” outside of IT are taking priority – also to the detriment of cyber security, since the money, at some point, all comes out of the same technology pot.
That is a problem when you consider that three-quarters of Australian organisations are now living with a vastly increased attack surface caused by their reliance on web-based applications and by the geographic disbursement of employees and endpoints. Organisations should be doing everything possible to reduce the size of the target on their backs. Application security is an obvious investment area in that context.
While IT leaders expect to increase focus on the security of web applications in the next two years, their focus on other digital and business initiatives in 2022 means that activity is more likely to be funded out of 2023 budgets. As organisations invest more heavily in digital initiatives, they should consider security implications from the beginning as a non-negotiable component.
Complexity breaks
One of the reasons application security is being put off or underfunded may be that traditionally, it has been a complex space to secure. Some organisations may be unaware of newer generation technologies and strategies that are easier to implement and manage.
Our research shows that the key challenge for managing application security initiatives is complexity. Fifty-five per cent of Australian IT leaders say too many third-party providers are involved in the end-to-end security of their applications, pointing to the new reality of operating in a cloud-, web- and API-driven world.
A typical response by decision-makers to the increasing complexity of their technology environments is to deploy a new security solution for each new threat. As a result, organisations end up with a myriad of separate tools and dashboards, making it very difficult for their security teams to manage. Nearly half of Australian companies have more than 50 cyber security tools and are battling alert fatigue, particularly as many tools produce a high volume of false positives.
There is a real need for organisations to be able to integrate all their security tools and to establish a common platform that can deal with threats that are particularly levelled at web applications. Organisations and security teams should also be aiming to detect attacks and erroneous behaviour, and respond accordingly, in a more automated fashion.
Making secure moves
Addressing security risks invariably involves a variety of controls and configurations, especially as the threat landscape continues to evolve. Today, many tools require security teams to review alerts and implement new rules when they encounter attacks.
Organisations need to find ways to automate as many of their cyber security controls as possible as the threat landscape evolves. One way to do this would be to leverage a modern web application firewall (WAF), which automatically detects and then either logs or blocks malicious request traffic before it reaches the web application.
Organisations also need to evaluate the effectiveness of existing tools, streamline and gain visibility across all of the assets that are deployed and operating in their infrastructure. And they need appropriate funding to do it, that is commensurate with the investment in digital and web applications that they’re making.
Whatever approach is selected, organisations should work to deploy security controls in every layer of their network, in every cloud they have a presence in, to best protect their web applications, their users, and the data that is stored or processed by them. Once organisations have the capability and tooling to deploy application security in many different ways within their environment, they will have the best possible access to appropriate cyber security protection.
Stephen Gillies is the APAC technology Evangelist at Fastly.