There is a multitude of studies, research, and angst-ridden blogs that have been written on the topic of “employees” being the biggest (challenge/risk) to securing applications and protecting data. Our own State of Application Delivery report has consistently found “employees not taking security seriously” a top challenge for organizations across all industries and regions.
This is certainly a factor in the confidence organizations have in their ability to withstand the increasing frequency with which applications are attacked—and subsequently breached.
Usually we frame this challenge (or risk, if you prefer) in terms of a few traditional employee tropes:
Trope 1: The disgruntled about-to-be or recently-become former employee. This is the person with the access and a motive to corrupt, steal, destroy, or otherwise disrupt business by mucking with systems, devices, or data.
Trope 2: The clueless non-IT worker. Sales, accounting, HR, call center. You name an extra-IT department and they have been the target of this trope. Their alleged technological ineptitude is a constant source of concern for security pros.
Trope 3: Cowboy coders. Also included in shadow IT or rogue IT. This is the entirety of your app dev organization. By nature, they are cowboys who hate to be confined to the walled garden IT has constructed for its apps and thus ignore security or avoid it altogether by rushing to the public cloud.
In these tropes, employees are portrayed as archetypically malevolent, clueless, or impatient (with anarchist tendencies). They are archetypes, so take them with a grain of salty truth. Most employees don’t fit these molds, but some do.
There is a less mentioned, uncategorized fourth archetype that I’m going to establish right now. Not only that, I’m going to go out on a limb and say it is this type of employee that is the biggest risk to application security – the misguided prioritizer.
Trope 4: The misguided prioritizer. This person is empowered to make critical decisions regarding applications. This is either because they sit high on the organizational chart or they are the “owner” of the application (and thus its budget). Among the decisions they might make (have made, will make again) is prioritizing speed over security.
I would like to present as Exhibit A, this snippet culled from a 2018 survey on security:1
“Almost half of the business management team (48 percent) believes that app performance and speed are more important than security, whereas 56 percent of IT management ranked performance and security as equally important. 65 percent of companies say they would be spurred to increase application protection measures only after an end user or customer were negatively affected.”
Go ahead, read that again. Because the trope proves itself valid in just a few data points.
What this says is that more than half of companies rely on a reactive security strategy. That is, security is a low priority until something happens to make it a higher priority. They react to incidents, but they don’t necessarily prepare for them.
News flash: by the time a customer is negatively affected, it’s too late to do much about it. The data is already exfiltrated. Customers are already infected. And the Tweeters have spontaneously generated a hashtag just for you. This is why we promote a proactive approach to security. While we recognize the value in reactive options (hybrid DDoS strategies, for example) when it comes to data and the applications through which it is managed, you need to be thinking ahead and preparing for the inevitable attack.
The misguided prioritizer, then, is a significant threat to application security because the tendency to ditch security in exchange for speed (of operations and the app performance) is still existential.
The dissonance between IT and business management is problematic. IT is still beholden to the business, and budgets are based in part on the bottom line. No profit? No purchasing. Apps are “owned” by business stakeholders, and it is the business that winds up determining priorities. Even if IT has put an emphasis on security, that emphasis can be overridden by a business stakeholder. To be fair, the misguided prioritizer is constrained by budget, too. Which makes this all the more frustrating. With limited operational and financial resources, business stakeholders make decisions based on their priorities—of which security often ranks fairly low.
From the same article:
“Only 25 percent of respondents say their organization is making a significant investment in solutions to prevent application attacks despite awareness of the negative impact of malicious activity (decreased productivity, decline in revenues, lost customers.”
This despite data (not studies, but real-time actual data) that shows a steady increase in the attack activity at the application layer. For example, El Reg reported2 on a CloudFlare blog post in which the cloud-based provider has literally seen “that OSI layer 7 attacks that usually appear at a rate of around 160 per day are now sprouting at rates of up to 1,000 a day.”
The risk is real, the threat existential, the trope valid. As attackers shift their attention to the soft underbelly of the Internet that are applications, the biggest threat to application security might just be the business.