How can APAC overcome the cybersecurity affliction?

WHEN you think of cybersecurity, what comes to mind first? Your browser – maybe your bank account – and usually the internet connection you’re using. However, there’s a side to cybersecurity that many people overlook at first glance: Software security.

The fact is, there needs to be considerable thought put into the overall process of designing, engineering, and testing software so that it continues to function correctly even under malicious attack.

A recent study by Frost & Sullivan, commissioned by Microsoft revealed that one in four organizations in the APAC region has experienced a cybersecurity incident.

That number doesn’t really surprise industry insiders, considering the varying levels of software security maturity that is prevalent in organizations in the region.

In an exclusive interview with Tech Wire Asia, Synopsys’ Managing Consultant Olli Jarva discusses the importance of software security and how it impacts businesses.

“Some firms have very mature practices when it comes to handling vulnerabilities in the software development life cycle (SDLC), but many have little visibility or understanding when it comes to remediating vulnerabilities,” said Jarva.

What’s truly unsettling is that 27 percent of firms that participated in the survey weren’t sure whether they had experienced an incident, as they hadn’t conducted any type of breach assessment.

However, the truth is, trying to build security into new processes and operation models is challenging.

Garnering the attention and buy-in of upper management is very complicated when we’re talking about software security.

This observation is supported by the 59 percent of survey respondents that reported putting off their organizations’ digital transformation efforts owing to cybersecurity concerns.

So why is security so challenging for firms? Jarva believes there are several reasons.

First, let’s discuss culture change in organizations. Digital transformation involves pushing to change a variety of operations, and people don’t like change.

Namely, the way processes are carried out—and they’re even more dissatisfied when comfortable and habitual processes become obsolete because of change.

The second reason is the common mentality that security is someone else’s responsibility. This misguided belief builds unnecessary silos into organizations that upper management often doesn’t focus on tearing down.

The reality is that security is everyone’s responsibility. Sure, some people hold more responsibility; however, it takes a village to ensure a firm’s data is secured. A healthy first step is to stop shifting responsibility.

Lastly, security tools by themselves will not solve the cybersecurity problem.

The study identified that 52 percent of APAC firms with more than 50 cyber security products experienced a higher rate of security incidents, per Edison Yu, Frost & Sullivan’s Vice President and Asia-Pacific Head of Enterprise.

The study also showed that managing multiple tools led to a longer period of recovery after an incident. The key to security tools is to integrate them properly into your teams’ processes and to measure the effectiveness of that investment.

Earlier this year, AT Kearney, studied the ASEAN region and found that member countries of the region need to significantly step up their spending on cybersecurity to tackle digital threats.

Not doing so can potentially cost the top 1,000 companies in the region about US$750 billion in market capitalization, and derail digital innovation, according to its report.

Security isn’t the enemy

Throughout the APAC, security is commonly seen as a concept that slows teams and their processes.

This view emerges from a lack of understanding how security works; many people don’t realize that security should be built into the DNA of an organization, not bolted on at the end as an afterthought.

This mindset can also be blamed partially on security product vendors that don’t yet move fast enough to support enterprise-level security challenges.

It’s time to take action to secure the software that powers businesses throughout the region and the world.

Awareness training is one way to encourage individuals, teams, and entire organizations to take security more seriously.

“Start with the security fundamentals. Teach the importance of having guidelines for basic cyber hygiene and how to maintain it,” evangelized Jarva.

Businesses around the globe are moving operations into the cloud, but many APAC firms lack a proper cloud adoption strategy and roadmap with security inclusion.

We must clearly communicate the importance of building security into software throughout the development process—starting from the beginning.

There are two important facts Jarva likes to emphasize to customers and prospects:

First, adding security activities earlier in the development process doesn’t have to slow teams down.

There are tools and strategies available that allow you to build secure software without negatively impacting velocity.

Second, building security into software earlier also saves time and cost later.

When you wait until the final testing and deployment stages to identify software vulnerabilities and defects, going back and remediating them often requires a time-consuming and very costly effort.

Why wait and suffer through that when you could just resolve issues as they arise?

It’s high time that firms throughout the APAC take a proactive approach toward securing the software that powers businesses throughout the region and beyond.

Security shouldn’t be seen as a burden. It is an asset—one that organizations should embrace.

“Don’t ignore it. You’ll be forced to deal with it sooner or later—but even “sooner” could be too late,” advised Jarva.

As Warren Buffet recently told shareholders at the Berkshire Hathaway 2018 Annual Shareholders Meeting, “Cyber is uncharted territory. It’s going to get worse, not better. There’s a very material risk which didn’t exist 10 or 15 years ago and will be much more intense as the years go along.”

---

---

---

---