Within the security community of late, the focus has been on “shifting left”, and while that has merit, it is somewhat myopic missing some of the realities of defense in practice. Instead, I propose a simple framework to help guide initiatives that will “level up” defenses and greatly improve security postures wholistically. Some license is taken in terminology in order to keep things simple, memorable, and applicable.

For those responsible directly or indirectly for the cyber defense of their organizations, June 2023 is proving to be an extremely challenging month. In this month alone, vulnerabilities were discovered in various appliances, ranging from CVE-2023-27997 impacting FortiGate devices to CVE-2023-35708 impacting MOVEit Transfer software as well as the exploitation activity discovered of Barracuda appliances via CVE-2023-2868.

The financial outlook for the rest of 2023 and 2024 is far from cheery, and economic uncertainty is affecting everyone and everything, including the cybersecurity sector. Security budget cuts or freezes are the course many organizations are tempted to take in this financially precarious situation. Conservative spending is a natural response to the present economic downturn and a possible recession knocking on our doors, implying fewer clients, lower profits, and higher costs.

More and more organizations are abandoning the outdated waterfall development methodology for more practical and efficient Agile development practices. As this movement has occurred, development teams are moving faster than ever by employing Continuous Integration (CI) and Continuous Deployment (CD) practices that are serving to shorten development cycles and get new features into production faster. This does, however, come with greater security risk in some respects.