In our digital-centric society, CIOs are the catalyst for innovation, ensuring businesses and consumers alike receive rapid, seamless access to data and services. As technology has evolved, so, too, has the role of CIOs. They now hold the ultimate responsibility for the successful implementation and management of technologies needed to operate and scale the business. They also must ensure that this is performed in a secure manner.
With rampant cyberattacks plaguing enterprises across the globe, keeping bad actors at bay has become a key component of a CIO’s responsibilities. According to recent research, 70 percent of CIOs anticipate that their involvement in organizational security practices and procedures will increase this year.
Why APIs have become the most frequent attack vector
CIOs face a host of security concerns—misconfigured infrastructure and services, compromised credentials and phishing and social engineering, to name a few. However, as depicted by recent attacks on T-Mobile and Optus, malicious acts which exposed the Personal Identifiable Information (PII) and data of millions, the abuse of Application Programming Interfaces (APIs) has become the most prominent vector for gaining access to a company’s most sacred possession: user data.
Why? APIs are one of the greatest enablers of high-agility connectivity between customers and their vital data and services along with being a core component of achieving digital transformation success. APIs are built at every turn in modern environments. Since they are expressly created to share critical information, they make a lucrative and attractive target for attackers, who wish to gain access and move laterally throughout an organization’s network.
CIOs must always balance the need for rapid innovation and progress with the need to protect the business. API security represents one of those critical intersection points that can help companies move faster and more securely. Everyone understands the need for cloud security in today’s environments. However, not everyone fully understands that cloud security depends on API security. This enormous dependency means API security is a business problem, and therefore a CIO problem—not simply a security team’s problem.
How CIOs can strengthen their API security posture
To strengthen the security posture of their APIs, CIOs can undertake several key initiatives in collaboration with security teams.
First, IT best practices always start with asset management; API security is no different. To avoid control gaps when it comes to the application landscape, CIOs must implement a strong governance strategy for APIs. They must have a full and accurate inventory of all of the APIs within their existing infrastructure. After all, you cannot manage what you do not see. Governance programs should prioritize API inventory assessment to ensure that a business has a continuously updated list of all the APIs running in their infrastructure. Most organizations have a significant percentage of so-called “shadow APIs”—those APIs that were not previously known and documented, which often fall outside of API governance platforms.
Second, CIOs can help facilitate organizational understanding about the risks associated with APIs. They should undertake education initiatives to ensure that teams recognize the most common API security threats, including those outlined in the OWASP API Security Top 10 list. Working together with security teams, CIOs must adopt API programs able to continuously monitor the infrastructure for these most common API abuses. Developers are building and rolling out APIs into production faster than ever. To protect APIs (including APIs they might not be aware of) organizations need a safety net of runtime protection.
Finally, CIOs can accelerate API security initiatives by increasing organizational awareness about the potential risks and costs that API incidents represent for the company. API breaches can cost millions. In the case of its recent breach, Optus estimated the aftermath costs at $140 million. CIOs play a big role in both helping teams understand those risks and developing a collaborative and security-aware environment across development, IT and security.
The bottom line
To protect against the evolving tactics and techniques of bad actors, CIOs must understand the API landscape. APIs have become the number one business enabler, as well as the top attack vector, and it’s essential to secure them. To reduce overall risk and keep the company moving fast and focused on innovation, CIOs must introduce API strategies and controls. This includes a complete API inventory, as well as cross-functional organizational understanding about the biggest API threats and business risks.
