CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
| | March 20179CIOReviewApplication Security Assurance: Applications are the primary target for hackers and we estimate more than 70 percent of successful breaches are directed at the application layer. A robust applications threat analysis service is needed to proactively avoid cybersecurity defects from the start, and also functions as an independent validation and verification of security requirements and architectural security resilience. The result is an application that is secure by design. Today, conventional application development methods discover only a small fraction of vulnerabilities.Continuous Monitoring: Organizations need to migrate from periodic assessments of static security controls to continuous monitoring. For example, the Department of Homeland Security's Continuous Diagnostics and Mitigation program supports continuous monitoring by making available a suite of off-the-shelf products to give real-time visibility into networks and systems. NIST's Risk Management Framework also provides a risk-based approach to managing organizational risk for critical infrastructure. Managed Services: Protecting IT resources is critical for every agency, but cybersecurity is not a core competency for most. Managed services provided by experienced, certified professionals can help agencies meet their cybersecurity requirements without the capital expenditures and manpower costs of in-house operations, freeing agencies to focus on their missions. Data Security: Preventing the unwanted disclosure of data in motion, at rest and in use, is paramount. Organizations must implement data loss prevention solutions, including encryption and key management, web content filtering, database security health checks (assess security vulnerabilities), email protection services, and end-to-end data protection. Agencies should also establish policies to identify and restrict critical and private data movement. Defense-in-context: Defense-in-depth has encompassed a continuing cycle of adding more and more layers of protection and security controls to protect an organization's assets and resources. However, these layers and controls are not often integrated and if the organization's most critical assets are at the core of those layers and these layers are breached, then the adversaries may exfiltrate your vital assets. In today's world, these high-value assets are distributed, so your protection also has to be distributed around them. The context of those assets is more important than their location at the "center" of your enterprise. For this reason, a defense-in-context takes the approach of leveraging all the security-related information available (location, device, access, behaviors, etc.) and integrating it to obtain situational awareness.The Future of CybersecurityThe history of cybersecurity has been reactive, with enterprises and security-solution providers struggling to keep pace with threats and vulnerabilities introduced by rapid changes in technology. Technology will continue to change at an ever accelerating rate, but this does not mean cybersecurity must remain in a losing race to keep pace with threats. While compliance is the entry fee, it will not adequately protect an enterprise from threats. Application security, continuous monitoring, managed services, data security, and defense in context are essential and we must remember, no one is alone. We are all in this together. We must create an architecture that is resilient to these threats by enabling agencies to continue their business operations and service to our nation's citizens. Think of it like installing brakes on a car. Brakes were not invented to stop a car, they were invented so you could drive faster, safer, slowdown, and come to a complete stop if necessary. We must create an architecture that is resilient to these threats by enabling agencies to continue their business operations and service to our nation's citizens
< Page 8 | Page 10 >