IT Briefcase Exclusive Interview: Assurance, Insurance and Guarantees – Preparing Your Organization for the Data Breach Era
October 17, 2017 No CommentsAccording to Forrester Research, applications are increasingly the face of interaction between companies and their customers; this includes customer-facing applications, differentiating mobile apps, internet-of-things (IoT) device interfaces and streamlined back-end processes.
Meanwhile, application security technologies continue to advance based on new developer methodologies, attack vectors, application types and business needs. Moving forward, security pros must keep pace with these emerging and rapidly evolving technologies to help their organizations deploy apps that improve customer experiences without taking on new risks.
But how?
Nathan Wenzler, Chief Security Strategist at AsTech explains:
- Q: Tell me a little bit about AsTech. What makes the organization stand out from the competition?
A: AsTech is an independent information security consulting firm which specializes in application security projects and providing corporate risk management services such as Mergers & Acquisitions digital due diligence consulting, regulatory compliance services and cyber insurance offerings for services. It is the latter item which truly sets us apart from our competition. AsTech has been in business for over 20 years, giving us a depth of experience that few services organizations possess in the information security field. And now, between our Paragon Security Program for application security and the newly launched AsTech Vigilance insurance offering for our Managed Qualys Services, we insure our services against data breaches for customers. No other services company offers a tangible level of assurance and protection for their consulting practices or managed service offerings.
- Q: Can you give an example of how the IT function within an organization would benefit from AsTech?
A: AsTech has a whole host of security services and programs that can help organizations at every level of their security program. We have significant expertise in application security, and can help companies with development groups to ensure the code they write is secure and free from vulnerabilities or defects, efficiently integrate the vulnerability findings from security tools with the developer’s Application Lifecycle Management tools, train their coders in secure coding practices, and advise management on the best policies and procedures which support security efforts going forward. All of these pieces create a more secure platform in which to develop software from start to finish. AsTech can apply this same kind of expertise to a number of other security programs and practices we offer, and can offer our industry-first guarantee to customers for designated programs, ensuring that they can trust in the quality of services and have liability protection for their organization in the event of a data breach.
- Q: How early in the application development cycle should security issues be identified?
A: Security issues need to be identified even before the requirements are pulled together at the start of the development process. Specifically, organizations should be looking to see if the developers on their teams are familiar with secure coding practices and can execute these skills each and every time they build and commit code. These training issues are fundamental to the success of building security into applications from the start and must be considered even before formal development begins. From there, of course, security issues should be identified at every step along the way. Testing of code, whether as static code analysis or from a dynamic application testing point of view, should be conducted as often as possible in order to identify problems as early as possible where they are cheaper and easier to correct.
- Q: AsTech recently announced a $5 million warranty, making it the largest guarantee for application security in the world. As an organization, how can you be so confident that you offer such a significant guarantee?
A: Our teams have been conducting extensive application security testing for over 20 years, and in that time, no customer of AsTech has been breached by a vulnerability we missed. Our experts have extensive experience with a variety of code frameworks, and we leverage that expertise to ensure we catch every vulnerability we can when analyzing an application. The history of success we’ve maintained has been the very thing which allows our insurance programs to be written and back up our work with this guarantee.
- Q: How important is it for an organization to provide a cyber security guarantee?
A: Cyber insurance is still a relatively new concept to most organizations, but it’s growing rapidly. Some estimates suggest that less than 1 out of 3 organizations have any sort of cyber insurance policy at all, but, as more and more data breaches take place and the cost to deal with those breaches is growing, there is a greater demand for this sort of protection. Requiring vendors and contractors to insure their services is becoming more common now, as these 3rd parties have been the source of many of the largest data breaches in the last few years, such as the Target breach in 2013. Since we know the number of breaches isn’t likely to decrease, and the costs associated are going to remain high, it is absolutely becoming a critical business function for organizations who provide services to insure their work to protect both themselves and their customers.
- Q: Tell me a little about your recent announcement with Qualys. What does this mean for Managed Qualys Services users?
A: The primary benefit here with the new AsTech Vigilance program is a $1 million guarantee against data breach costs. In short, AsTech will configure, optimize and manage the way the Qualys Cloud Platform detects vulnerabilities on your perimeter assets to such a high degree of accuracy that should your organization get breached because of a vulnerability that was not detected but Qualys was able to find, we will cover up to $1 million of data breach-related costs incurred. It’s an additional level of assurance that the services provided by AsTech for managing Qualys actually deliver the level of security every company wants for their perimeter assets.
- Q: What advice would you have for businesses looking to protect themselves from a data breach?
A: The best advice I can offer is that organizations must keep as broad of a view as possible on their security programs and what they address. Many companies get very narrowly focused on a few security controls, which causes them to lose sight of another important area which may be attacked. For instance, a company may deploy a very strong perimeter defense with firewalls and intrusion detection systems to prevent an attacker from breaking into the network that way, but not put any effort into secure coding practices or into cybersecurity awareness training for their users which allows attackers to focus on applications or phishing campaigns to gain entry to the company’s network. It’s imperative that organizations of all sizes build a multi-faceted security program that includes addressing the human elements of security (like training and education or having strong policies and procedures in place) in order to protect themselves from the variety of attacks that can lead to a data breach.
About Nathan Wenzler
Nathan Wenzler is the Chief Security Strategist at AsTech, a leading information security consulting firm. Wenzler has more than two decades of experience designing, implementing and managing both technical and non-technical solutions for IT and Information Security organizations. He has helped government agencies and Fortune 1000 companies build new information security programs from scratch, as well as improve and broaden existing programs with a focus on process, workflow, risk management, and the personnel side of a successful security effort.
As Chief Security Strategist for AsTech, Wenzler brings his expertise on security program development and implementation in both the public and private sector to administrators, auditors, managers, C-Suite executives and security professionals across a wide variety of organizations and companies around the globe.
Wenzler is frequently quoted in publications such as USA Today, Forbes, The Washington Post, TheStreet.com, Infosecurity Magazine, Dark Reading, SC Magazine, and contributes regularly to his own column on CSO Online, “The Layer 8 Debate”. He is also a frequent presenter on BrightTalk and at a number of leading conferences worldwide.