Konzentriert sich Ihr Sicherheitsprogramm auf die Reaktion auf Vorfälle? Sie machen es falsch.
A version of this article appeared as a feature for the Forbes Technology Council. It has been updated and syndicated here.
There is nothing quite like being on the wrong side of a data breach. At first, there might be denial, then panic. Once all the expletives have been aired and the CISO has had to do a 2am conference call with public relations, it’s time to roll up your sleeves and get to work on securing endpoints, systems, and quickly eliminating any potential attack vectors. It’s no picnic, to say the least.
And yet, this is a reality that will dawn on many organizations in the future, and one that absolutely must be prepared for with a comprehensive cybersecurity incident response plan. The problem, however, is that this reactive strategy is where much of the time, resources, and effort is concentrated, instead of working to prevent or reduce the potential severity of cyberattacks up-front. It’s a little bit like calling an ambulance for a suspected heart attack; the outcomes are often a lot less positive - not to mention more damaging - than if preventative health measures were in force before it was too late.
To that end, what does a preventative plan look like? Let’s explore how security pros can employ all the tools at their disposal to mitigate ever-increasing cyber risk, every day:
Understand the scope of work that lies ahead
It seems obvious, but the “right” plan to mitigate cyber risk does have nuances between industries, and it’s important to understand what is needed up-front to reach the desired outcome.
What security problems currently exist? What time and resources are they taking up? How many of them are recurring issues? These are important factors, and will give you a foundational starting point. Consider any roles that need filling, gaps in tooling, and what is needed from an expertise and tool perspective to secure endpoints and reduce the attack surface, while preempting other areas of potential risk.
A recent report revealed that eleven industries saw a serious vulnerability, across at least half of their applications, every day for the past year. In particular, the utilities, public administration, and professional services industries took 288 days on average to patch known vulnerabilities. This is incredibly slow, giving an attacker more than enough time to do serious damage if those vulnerabilities are discovered before a patch can be applied. This, coupled with the probability of organizations experiencing a data breach approaching 30%, is a sobering reminder that incident reaction is not enough, and the stakes are simply too high to brace for the impact of a large-scale cyberattack and hope for the best.
Prepare to get buy-in for cultural change
Shaking up the status quo does tend to raise a few eyebrows, but the truth is, security programs should be in a constant state of continuous improvement. Every component should stay relevant, and new developments should be assessed and factored in.
Placing emphasis on a preventative - as opposed to reactive - approach may not be widely understood outside of the security team, especially if a big, bad, security incident has not taken place. It might be seen as something that isn’t broken and doesn’t need fixing. In this instance, getting executive buy-in is essential. Some of the more pertinent points for them to consider are:
- The time and cost savings in preventative measures, such as role-based training and related tools, as opposed to the potential cost of a critical incident
- How finding and fixing vulnerabilities now keeps releases on time, with fewer showstoppers from the security team
- Why preparing for and preempting potential security risks, from the development team right through to release, saves more time (no to mention significant cash) overall. To put it into perspective, late-stage vulnerabilities uncovered in the testing phase - or worse, post-production - can raise costs as much as 3000% on average.
It’s vital that proposed cultural changes are aligned with business goals, even if they seem uncomfortable at first.
Security awareness is something, security skills are everything
As an industry, we talk frequently about the importance of security awareness, and this is an increasingly critical component of every member of staff in an organization. However, it is not enough to stop at lip service and passive training, especially for those in technical positions.
Put simply, anyone who is touching code is a potential security risk if they’re not equipped with the skills to code securely. General awareness of basic security parameters is a good start, but without contextual knowledge of good, secure coding patterns, poor habits prevail, and it’s this lack of quality development skill that attackers rely upon to do their dirty work.
Don’t write off your developers.
Though the attitude is shifting, many organizations are structured in such a way that developers are rarely a true consideration in security mitigation plans. Some industries - like banking and finance - have stringent compliance and regulatory requirements that result in heightened security practices and training across the board, for all staff. And while they’re certainly ahead of other verticals, just about every organization on the planet could benefit from an in-house army of security-aware developers, all with a baseline ability to sniff out common security bugs before they’re committed. Most are nowhere near achieving this critical piece of the security program puzzle - and it’s necessary if we ever have a hope of securing the deluge of code that increases in volume year-on-year.
Preventative security should begin the moment fingers touch the keyboard to create software, but developers cannot be expected to bridge the security skills gap alone. They need the right toolset and contextual guidance to reach a higher standard of code quality, and the best results are always achieved when it’s part of their everyday work, not an afterthought that is sporadically rolled out whenever annual compliance requirements roll in.
Die Betonung auf einen präventiven — im Gegensatz zu einem reaktiven — Ansatz wird außerhalb des Sicherheitsteams möglicherweise nicht allgemein verstanden, insbesondere wenn kein großer, schwerwiegender Sicherheitsvorfall stattgefunden hat.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior ist für Ihr Unternehmen da, um Ihnen zu helfen, Code während des gesamten Softwareentwicklungszyklus zu sichern und eine Kultur zu schaffen, in der Cybersicherheit an erster Stelle steht. Ganz gleich, ob Sie AppSec-Manager, Entwickler, CISO oder jemand anderes sind, der sich mit Sicherheit befasst, wir können Ihrem Unternehmen helfen, die mit unsicherem Code verbundenen Risiken zu reduzieren.
Eine Demo buchen
Chief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
A version of this article appeared as a feature for the Forbes Technology Council. It has been updated and syndicated here.
There is nothing quite like being on the wrong side of a data breach. At first, there might be denial, then panic. Once all the expletives have been aired and the CISO has had to do a 2am conference call with public relations, it’s time to roll up your sleeves and get to work on securing endpoints, systems, and quickly eliminating any potential attack vectors. It’s no picnic, to say the least.
And yet, this is a reality that will dawn on many organizations in the future, and one that absolutely must be prepared for with a comprehensive cybersecurity incident response plan. The problem, however, is that this reactive strategy is where much of the time, resources, and effort is concentrated, instead of working to prevent or reduce the potential severity of cyberattacks up-front. It’s a little bit like calling an ambulance for a suspected heart attack; the outcomes are often a lot less positive - not to mention more damaging - than if preventative health measures were in force before it was too late.
To that end, what does a preventative plan look like? Let’s explore how security pros can employ all the tools at their disposal to mitigate ever-increasing cyber risk, every day:
Understand the scope of work that lies ahead
It seems obvious, but the “right” plan to mitigate cyber risk does have nuances between industries, and it’s important to understand what is needed up-front to reach the desired outcome.
What security problems currently exist? What time and resources are they taking up? How many of them are recurring issues? These are important factors, and will give you a foundational starting point. Consider any roles that need filling, gaps in tooling, and what is needed from an expertise and tool perspective to secure endpoints and reduce the attack surface, while preempting other areas of potential risk.
A recent report revealed that eleven industries saw a serious vulnerability, across at least half of their applications, every day for the past year. In particular, the utilities, public administration, and professional services industries took 288 days on average to patch known vulnerabilities. This is incredibly slow, giving an attacker more than enough time to do serious damage if those vulnerabilities are discovered before a patch can be applied. This, coupled with the probability of organizations experiencing a data breach approaching 30%, is a sobering reminder that incident reaction is not enough, and the stakes are simply too high to brace for the impact of a large-scale cyberattack and hope for the best.
Prepare to get buy-in for cultural change
Shaking up the status quo does tend to raise a few eyebrows, but the truth is, security programs should be in a constant state of continuous improvement. Every component should stay relevant, and new developments should be assessed and factored in.
Placing emphasis on a preventative - as opposed to reactive - approach may not be widely understood outside of the security team, especially if a big, bad, security incident has not taken place. It might be seen as something that isn’t broken and doesn’t need fixing. In this instance, getting executive buy-in is essential. Some of the more pertinent points for them to consider are:
- The time and cost savings in preventative measures, such as role-based training and related tools, as opposed to the potential cost of a critical incident
- How finding and fixing vulnerabilities now keeps releases on time, with fewer showstoppers from the security team
- Why preparing for and preempting potential security risks, from the development team right through to release, saves more time (no to mention significant cash) overall. To put it into perspective, late-stage vulnerabilities uncovered in the testing phase - or worse, post-production - can raise costs as much as 3000% on average.
It’s vital that proposed cultural changes are aligned with business goals, even if they seem uncomfortable at first.
Security awareness is something, security skills are everything
As an industry, we talk frequently about the importance of security awareness, and this is an increasingly critical component of every member of staff in an organization. However, it is not enough to stop at lip service and passive training, especially for those in technical positions.
Put simply, anyone who is touching code is a potential security risk if they’re not equipped with the skills to code securely. General awareness of basic security parameters is a good start, but without contextual knowledge of good, secure coding patterns, poor habits prevail, and it’s this lack of quality development skill that attackers rely upon to do their dirty work.
Don’t write off your developers.
Though the attitude is shifting, many organizations are structured in such a way that developers are rarely a true consideration in security mitigation plans. Some industries - like banking and finance - have stringent compliance and regulatory requirements that result in heightened security practices and training across the board, for all staff. And while they’re certainly ahead of other verticals, just about every organization on the planet could benefit from an in-house army of security-aware developers, all with a baseline ability to sniff out common security bugs before they’re committed. Most are nowhere near achieving this critical piece of the security program puzzle - and it’s necessary if we ever have a hope of securing the deluge of code that increases in volume year-on-year.
Preventative security should begin the moment fingers touch the keyboard to create software, but developers cannot be expected to bridge the security skills gap alone. They need the right toolset and contextual guidance to reach a higher standard of code quality, and the best results are always achieved when it’s part of their everyday work, not an afterthought that is sporadically rolled out whenever annual compliance requirements roll in.
A version of this article appeared as a feature for the Forbes Technology Council. It has been updated and syndicated here.
There is nothing quite like being on the wrong side of a data breach. At first, there might be denial, then panic. Once all the expletives have been aired and the CISO has had to do a 2am conference call with public relations, it’s time to roll up your sleeves and get to work on securing endpoints, systems, and quickly eliminating any potential attack vectors. It’s no picnic, to say the least.
And yet, this is a reality that will dawn on many organizations in the future, and one that absolutely must be prepared for with a comprehensive cybersecurity incident response plan. The problem, however, is that this reactive strategy is where much of the time, resources, and effort is concentrated, instead of working to prevent or reduce the potential severity of cyberattacks up-front. It’s a little bit like calling an ambulance for a suspected heart attack; the outcomes are often a lot less positive - not to mention more damaging - than if preventative health measures were in force before it was too late.
To that end, what does a preventative plan look like? Let’s explore how security pros can employ all the tools at their disposal to mitigate ever-increasing cyber risk, every day:
Understand the scope of work that lies ahead
It seems obvious, but the “right” plan to mitigate cyber risk does have nuances between industries, and it’s important to understand what is needed up-front to reach the desired outcome.
What security problems currently exist? What time and resources are they taking up? How many of them are recurring issues? These are important factors, and will give you a foundational starting point. Consider any roles that need filling, gaps in tooling, and what is needed from an expertise and tool perspective to secure endpoints and reduce the attack surface, while preempting other areas of potential risk.
A recent report revealed that eleven industries saw a serious vulnerability, across at least half of their applications, every day for the past year. In particular, the utilities, public administration, and professional services industries took 288 days on average to patch known vulnerabilities. This is incredibly slow, giving an attacker more than enough time to do serious damage if those vulnerabilities are discovered before a patch can be applied. This, coupled with the probability of organizations experiencing a data breach approaching 30%, is a sobering reminder that incident reaction is not enough, and the stakes are simply too high to brace for the impact of a large-scale cyberattack and hope for the best.
Prepare to get buy-in for cultural change
Shaking up the status quo does tend to raise a few eyebrows, but the truth is, security programs should be in a constant state of continuous improvement. Every component should stay relevant, and new developments should be assessed and factored in.
Placing emphasis on a preventative - as opposed to reactive - approach may not be widely understood outside of the security team, especially if a big, bad, security incident has not taken place. It might be seen as something that isn’t broken and doesn’t need fixing. In this instance, getting executive buy-in is essential. Some of the more pertinent points for them to consider are:
- The time and cost savings in preventative measures, such as role-based training and related tools, as opposed to the potential cost of a critical incident
- How finding and fixing vulnerabilities now keeps releases on time, with fewer showstoppers from the security team
- Why preparing for and preempting potential security risks, from the development team right through to release, saves more time (no to mention significant cash) overall. To put it into perspective, late-stage vulnerabilities uncovered in the testing phase - or worse, post-production - can raise costs as much as 3000% on average.
It’s vital that proposed cultural changes are aligned with business goals, even if they seem uncomfortable at first.
Security awareness is something, security skills are everything
As an industry, we talk frequently about the importance of security awareness, and this is an increasingly critical component of every member of staff in an organization. However, it is not enough to stop at lip service and passive training, especially for those in technical positions.
Put simply, anyone who is touching code is a potential security risk if they’re not equipped with the skills to code securely. General awareness of basic security parameters is a good start, but without contextual knowledge of good, secure coding patterns, poor habits prevail, and it’s this lack of quality development skill that attackers rely upon to do their dirty work.
Don’t write off your developers.
Though the attitude is shifting, many organizations are structured in such a way that developers are rarely a true consideration in security mitigation plans. Some industries - like banking and finance - have stringent compliance and regulatory requirements that result in heightened security practices and training across the board, for all staff. And while they’re certainly ahead of other verticals, just about every organization on the planet could benefit from an in-house army of security-aware developers, all with a baseline ability to sniff out common security bugs before they’re committed. Most are nowhere near achieving this critical piece of the security program puzzle - and it’s necessary if we ever have a hope of securing the deluge of code that increases in volume year-on-year.
Preventative security should begin the moment fingers touch the keyboard to create software, but developers cannot be expected to bridge the security skills gap alone. They need the right toolset and contextual guidance to reach a higher standard of code quality, and the best results are always achieved when it’s part of their everyday work, not an afterthought that is sporadically rolled out whenever annual compliance requirements roll in.
Klicken Sie auf den Link unten und laden Sie das PDF dieser Ressource herunter.
Secure Code Warrior ist für Ihr Unternehmen da, um Ihnen zu helfen, Code während des gesamten Softwareentwicklungszyklus zu sichern und eine Kultur zu schaffen, in der Cybersicherheit an erster Stelle steht. Ganz gleich, ob Sie AppSec-Manager, Entwickler, CISO oder jemand anderes sind, der sich mit Sicherheit befasst, wir können Ihrem Unternehmen helfen, die mit unsicherem Code verbundenen Risiken zu reduzieren.
Bericht ansehenEine Demo buchen
Chief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
A version of this article appeared as a feature for the Forbes Technology Council. It has been updated and syndicated here.
There is nothing quite like being on the wrong side of a data breach. At first, there might be denial, then panic. Once all the expletives have been aired and the CISO has had to do a 2am conference call with public relations, it’s time to roll up your sleeves and get to work on securing endpoints, systems, and quickly eliminating any potential attack vectors. It’s no picnic, to say the least.
And yet, this is a reality that will dawn on many organizations in the future, and one that absolutely must be prepared for with a comprehensive cybersecurity incident response plan. The problem, however, is that this reactive strategy is where much of the time, resources, and effort is concentrated, instead of working to prevent or reduce the potential severity of cyberattacks up-front. It’s a little bit like calling an ambulance for a suspected heart attack; the outcomes are often a lot less positive - not to mention more damaging - than if preventative health measures were in force before it was too late.
To that end, what does a preventative plan look like? Let’s explore how security pros can employ all the tools at their disposal to mitigate ever-increasing cyber risk, every day:
Understand the scope of work that lies ahead
It seems obvious, but the “right” plan to mitigate cyber risk does have nuances between industries, and it’s important to understand what is needed up-front to reach the desired outcome.
What security problems currently exist? What time and resources are they taking up? How many of them are recurring issues? These are important factors, and will give you a foundational starting point. Consider any roles that need filling, gaps in tooling, and what is needed from an expertise and tool perspective to secure endpoints and reduce the attack surface, while preempting other areas of potential risk.
A recent report revealed that eleven industries saw a serious vulnerability, across at least half of their applications, every day for the past year. In particular, the utilities, public administration, and professional services industries took 288 days on average to patch known vulnerabilities. This is incredibly slow, giving an attacker more than enough time to do serious damage if those vulnerabilities are discovered before a patch can be applied. This, coupled with the probability of organizations experiencing a data breach approaching 30%, is a sobering reminder that incident reaction is not enough, and the stakes are simply too high to brace for the impact of a large-scale cyberattack and hope for the best.
Prepare to get buy-in for cultural change
Shaking up the status quo does tend to raise a few eyebrows, but the truth is, security programs should be in a constant state of continuous improvement. Every component should stay relevant, and new developments should be assessed and factored in.
Placing emphasis on a preventative - as opposed to reactive - approach may not be widely understood outside of the security team, especially if a big, bad, security incident has not taken place. It might be seen as something that isn’t broken and doesn’t need fixing. In this instance, getting executive buy-in is essential. Some of the more pertinent points for them to consider are:
- The time and cost savings in preventative measures, such as role-based training and related tools, as opposed to the potential cost of a critical incident
- How finding and fixing vulnerabilities now keeps releases on time, with fewer showstoppers from the security team
- Why preparing for and preempting potential security risks, from the development team right through to release, saves more time (no to mention significant cash) overall. To put it into perspective, late-stage vulnerabilities uncovered in the testing phase - or worse, post-production - can raise costs as much as 3000% on average.
It’s vital that proposed cultural changes are aligned with business goals, even if they seem uncomfortable at first.
Security awareness is something, security skills are everything
As an industry, we talk frequently about the importance of security awareness, and this is an increasingly critical component of every member of staff in an organization. However, it is not enough to stop at lip service and passive training, especially for those in technical positions.
Put simply, anyone who is touching code is a potential security risk if they’re not equipped with the skills to code securely. General awareness of basic security parameters is a good start, but without contextual knowledge of good, secure coding patterns, poor habits prevail, and it’s this lack of quality development skill that attackers rely upon to do their dirty work.
Don’t write off your developers.
Though the attitude is shifting, many organizations are structured in such a way that developers are rarely a true consideration in security mitigation plans. Some industries - like banking and finance - have stringent compliance and regulatory requirements that result in heightened security practices and training across the board, for all staff. And while they’re certainly ahead of other verticals, just about every organization on the planet could benefit from an in-house army of security-aware developers, all with a baseline ability to sniff out common security bugs before they’re committed. Most are nowhere near achieving this critical piece of the security program puzzle - and it’s necessary if we ever have a hope of securing the deluge of code that increases in volume year-on-year.
Preventative security should begin the moment fingers touch the keyboard to create software, but developers cannot be expected to bridge the security skills gap alone. They need the right toolset and contextual guidance to reach a higher standard of code quality, and the best results are always achieved when it’s part of their everyday work, not an afterthought that is sporadically rolled out whenever annual compliance requirements roll in.
Inhaltsverzeichniss
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior ist für Ihr Unternehmen da, um Ihnen zu helfen, Code während des gesamten Softwareentwicklungszyklus zu sichern und eine Kultur zu schaffen, in der Cybersicherheit an erster Stelle steht. Ganz gleich, ob Sie AppSec-Manager, Entwickler, CISO oder jemand anderes sind, der sich mit Sicherheit befasst, wir können Ihrem Unternehmen helfen, die mit unsicherem Code verbundenen Risiken zu reduzieren.
Eine Demo buchenHerunterladenRessourcen für den Einstieg
Themen und Inhalte der Securecode-Schulung
Unsere branchenführenden Inhalte werden ständig weiterentwickelt, um der sich ständig ändernden Softwareentwicklungslandschaft unter Berücksichtigung Ihrer Rolle gerecht zu werden. Themen, die alles von KI bis XQuery Injection abdecken und für eine Vielzahl von Rollen angeboten werden, von Architekten und Ingenieuren bis hin zu Produktmanagern und QA. Verschaffen Sie sich einen kleinen Einblick in das Angebot unseres Inhaltskatalogs nach Themen und Rollen.
%20(1).avif)
.avif)
Threat Modeling with AI: Turning Every Developer into a Threat Modeler
Walk away better equipped to help developers combine threat modeling ideas and techniques with the AI tools they're already using to strengthen security, improve collaboration, and build more resilient software from the start.
Ressourcen für den Einstieg
Cybermon is back: Beat the Boss KI-Missionen jetzt auf Abruf verfügbar
Cybermon 2025 Beat the Boss ist jetzt das ganze Jahr über in SCW verfügbar. Setzt fortschrittliche KI/LLM-Sicherheitsanforderungen ein, um die sichere KI-Entwicklung in einem großen Maßstab zu stärken.
Cyber-Resilienz-Gesetz erklärt: Was das für die Entwicklung von Secure by Design-Software bedeutet
Erfahren Sie, was der EU Cyber Resilience Act (CRA) verlangt, für wen er gilt und wie sich Entwicklungsteams mit sicheren Methoden, der Vorbeugung von Sicherheitslücken und dem Aufbau von Fähigkeiten für Entwickler darauf vorbereiten können.
