Who should be responsible for web security?

This article is the fifth in a series about digital business security from information security consultant Kevin Beaver.
Who's in charge of web security in your organisation? Is it IT? Is it software development? Perhaps an entirely different group altogether? In many cases, web security is handled differently than the overall information security function. Sometimes it's not handled at all. The important thing is that web security is recognised as a core element of the organisation's overall risk management equation.

Lack of oversight in web security is problematic

Information security initiatives are often managed by a Director of Information Security, CIO, or even a dedicated Chief Information Security Officer (CISO). I've seen situations where web security is handled by software development managers or even developers or QA professionals themselves. The trouble with this approach is that what's good enough for those managing the web security program might not be good enough for those managing the overall information security program or the business at large. In many cases, I've seen situations where the person in charge of web security knew very little about the subject at all. This lack of oversight and consistency in terms of web security is problematic and can lead to many web-related security challenges such as:

·     Lack of policy enforcement that can lead to a lack of defensibility in the event of an incident or breach.

·      Inconsistencies with security standards that shows a lack of cohesiveness across the IT environment.

·     Underimplemented security technologies that often create a false sense of security.

·     Unpreparedness when it comes to invoking incident response procedures and addressing the inevitable web-related security events.

·     Web vulnerabilities that are introduced by third-party vendors/developers or third-party code snippets.

Web applications are often the most critical systems inside the organisation. To say that web security deserves better than if often gets is an understatement.


There needs to be consistency in terms of security standards

So, who should oversee web security? There is no right answer. Every situation is unique. Business needs differ and so do risk tolerances. Still, what's needed is for web security a visible and manageable component of your overall information security program that’s properly overseen. We work in a world where everything related to security should fall under the same governance umbrella. Whether you refer to it as network security, cybersecurity, or information security, a qualified individual or entity ultimately needs to oversee it all. There needs to be consistency in terms of security standards, policy creation and enforcement, and incident response. Whoever or whatever is needed in order to achieve these goals is what you aim for.
Web security certainly has its nuances and unique needs. Still, rather than being an ancillary component of an overall information security programme that may not get the attention it deserves, it must be kept front and center. Web-related threats and vulnerabilities as well as their resulting business risks are arguably some of the most formidable challenges to address in IT. This is why it’s so important to consider who is in charge of this business function. Different organisations address web security differently, and that's okay. In the end, what matters is that web security is getting the attention it deserves.

Be on the lookout for the best interests of the business.

From the software developers who write the actual code to executive management in charge of security budget, proactive oversight in this area is something that you don’t want to skimp on. Web security initiatives ultimately need to be part of your information security program needs to be discussed and executed via an information security or IT governance committee. This is a small committee comprised of a diverse group of people both inside and outside of IT who can ask good questions, come up with reasonable solutions, and be on the lookout for the best interests of the business.

About the author
Kevin Beaver, CISSP is an information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 31 years in IT and 25 years in security, Kevin specializes in independent security assessments and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security. He has written 12 books on security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. Kevin has written over 1,000 articles on security and regularly contributes to TechTarget's SearchSecurity.com, Ziff Davis' Toolbox.com, and Iron Mountain’s InfoGoTo.com. He has a bachelor’s in Computer Engineering Technology from Southern College of Technology and a master’s in Management of Technology from Georgia Tech. In his free time, Kevin races cars in the SCCA Spec Miata class and enjoys riding dirt bikes and snow skiing.
If you want to know more about how you can increase the revenue of your digital business by offering add-on insurance using state-of-the-art API technology, please contact us directly or book a time for us to call you, its free and there are no strings attached.

We will be happy to contact you at a time that suits you, for a free, no-obligation consultation.

Recommended Reading
Common website vulnerabilities you must defend against 06 February 2020
Why security is so important for web APIs 21 January 2020
© PSA Insurance Solutions,
PSA Insurance Solutions Ltd Reg No: C83206 is a limited liability company under Maltese Law, having its registered address at: MIB building 53 Abate Rigord Street Ta’ Xbiex Malta, Tel + 356 22 58 34 92. The company is enrolled to act as an insurance agent in terms of the Insurance Intermediaries Act, 2006 by the Malta Financial Services Authority (MFSA), Notabile Road, Attard BKR 3000, Malta.