C-level briefing: Veracode’s chief strategy officer on an unlikely benefit of mobile and cloud.
The move to cloud and mobile often attributed as a key factor in the rise in security risks that companies are facing today. Whether it is data being more vulnerable when it is taken off site, or the risks involved in securing workers working remotely, everyone knows that security goes well beyond the perimeter these days.
Sam King, Chief Strategy Officer at application cyber security vendor Veracode, takes has a different perspective on things. Her altogether more positive view is that the migration to cloud and mobile could actually be a good thing for security.
She said that these strategic changes within organisations mean that security professionals no longer have fight to be heard in their firms. "I think that issue of having to fight for a seat for the table is much less so when you’re talking about mobile initiatives and cloud initiatives," she told CBR.
"They don’t have to convince anybody that’s there’s something they have to be concerned about when you’ve got an application and you’re retailing it through another person, like Apple iTunes or Google Play or what have you," she said.
She has found that increasingly her firm’s clients are asking for input as they launch cloud first or mobile first initiatives.
She said: "I personally think it’s brought the topic of security to the forefront and in an a way that security people don’t have to fight the battle as much, they’re being sought out as collaborators in those initiatives."
King also feels that because these initiatives are new and being built from the ground up, security can be incorporated into applications right from the start of a project. "You have the ability to do it right from the beginning," she said.
Kings cites a statistic that there are currently 83m business applications that are in use today, which have already been developed and already have existing and known security vulnerabilities. This means attempts to secure them are retroactive, and reactive.
However, "When it comes to mobile initiatives, when it comes to cloud initiatives, you’re thinking about it day one. So you have the ability to design it in," said King. She accepts that this is not going to be the situation in every single case, but that with key initiatives within organisations "security is definitely at the forefront."
The other benefit King sees from the move to cloud is that it actually limits the number of environments that firms need to secure, giving them greater control and standardisation
"We’ve got a client that’s taking every externally facing application they have and they are choosing to put it into either the Amazon cloud or Azure, and the reason why they’re doing that is because they’ll then have two environments to secure and control versus the 70,000 that exist around the globe that their businesses have created," she said. "So in some ways it’s actually giving them standardisation, which they’ve never had before."
The other benefit that these strategic shifts have is one that is being noticed across the security industry, namely that non-technical members of an organisation’s leadership are taking a much more active interest in cyber security.
She said: "I was visiting with a customer, a large financial services organisation, and this person heads up application security for the organisation, and he told us now they’re board has instituted a practice where every quarter they want a three hour briefing on cyber security. Every quarter!"
It is rather a shift from the time when security professionals where having to beg for 10 minutes from fed up board members during a meeting.
"Anything that can have as much of an impact on the brand as a cyber security issue can have is really starting to get their attention," said King. Indeed, she compares the potential fallout of a cyber breach for a firm to the Volkswagen emissions scandal, which cost it $25m in market cap and a CEO.
She also said that in financial services people are picking banks partly on the quality and usability of mobile applications, of which security is a key factor. "Imagine that experience is tarnished by their data getting stolen off of that mobile application. You’re going to take your money and put it somewhere else. You’re going to put it under the sofa, or the competitor, you’re going to go somewhere else.
King accepts that everything is not perfect. For example, Veracode has tested mobile applications and still found cause for concern, notably with cryptography not being used correctly. Some applications the firm has looked at are not using random number generators, and are also failing to use the latest technology.
"We saw those same mistakes in Java applications, now we’re seeing those mistakes being made in Android mobile applications," said King.
It seems then that as well as providing businesses for firms and their customers, the move to cloud and mobile could also have a security benefit.