Marc Andreessen had it right \u2013 software has eaten the world. As a result, the world can be hacked.Just look at the past few months. The SolarWinds caper \u2013 the \u201clargest and most sophisticated attack the world has ever seen\u201d according to Microsoft president Brad Smith \u2013 gave its Russian perps months of free reign across untold US government agencies and private companies. But stupid also works: Last month in Florida, a water treatment plant\u2019s cybersecurity was so lax, anyone could have been behind a clumsy attempt to poison the local water supply. Meanwhile, miscreants bearing ransomware have made hospitals their favorite target; in October 2020, six US hospitals fell prey within 24 hours.Tech Spotlight: Security4 ways to keep the cybersecurity conversation going after the crisis (CSO)Mitigating the hidden risks of digital transformation (CIO)WFH security lessons from the pandemic (Computerworld)WAN challenges steer Sixt to cloud-native SASE deployment (Network World)6 security risks in software development \u2014 and how to address them (InfoWorld)Cybersecurity wins the award for Most Dismal Science. But if suffering attacks now amounts to a cost of doing business, then the time-honored approach of prioritizing risk and limiting damage when breaches occur still offers reason for hope. This collection of articles from CSO, Computerworld, CIO, InfoWorld, and Network World delivers specific guidance on best security practices across the enterprise, from the C-suite to developer laptops.Writing for CSO, contributor Stacey Collette addresses the age-old question of how to focus upper management's attention on security in \u201c4 ways to keep the cybersecurity conversation going after the crisis has passed.\u201d The thesis is that five-alarm debacles like the SolarWinds attack can serve as useful wakeup calls. Collette suggests seizing the moment to convince the board to match the company business model with an appropriate risk mitigation framework \u2013 and to use information sharing and analysis centers to exchange information on industry-specific threats and defensive measures.CIO\u2019s contribution, \u201cMitigating the hidden risks of digital transformation\u201d by Bob Violino, surfaces a problem hiding in plain sight: Digital innovation almost always increases risk. Everyone understands the transformative power of the cloud, for example, but each IaaS or SaaS provider seems to have a different security model, raising the odds of calamitous misconfiguration. Likewise, digital integration with partners promises all kinds of new efficiencies \u2013 and by definition heightens third-party risk. And does it even need to be said that launching an internet of things initiative will vastly expand your attack surface area?A second story written by Violino, this one for Computerworld, explores the cybersecurity obsession of our era: \u201cWFH security lessons from the pandemic.\u201d Some of the article covers familiar ground, such as ensuring effective endpoint protection and multifactor authentication for remote workers. But Violino also highlights more advanced solutions, such as cloud desktops and\u00a0zero-trust network access. He warns that a new wave of preparation will be required for hybrid work scenarios, in which employees alternate between office and home to ensure social distancing at work. The pandemic has proven that remote work at scale is viable \u2013 but new solutions, such as pervasive data defense and response platforms, will be necessary to secure our new perimeterless world.That goes for companies with many distributed offices as well. As contributor Maria Korlov reports in the Network World article \u201cWAN challenges steer Sixt to cloud-native SASE deployment, adoption is accelerating for secure access service edge (SASE), an architecture that combines SD-WAN with various security measures, from encryption to zero trust authentication. According to Korlov, for the rental car company Sixt, the result was \u201ca 15% to 20% reduction in costs for network maintenance, security, and capacity planning.\u201d At Sixt\u2019s 80 branch offices, downtime purportedly averages a tenth of what it used to be.In \u201c6 security risks in software development and how to address them,\u201d InfoWorld contributing editor Isaac Sacolick reminds us that modern cybersecurity means secure code, too. An ESG survey cited in the article reveals that nearly half of respondents admitted they release vulnerable code into production on a regular basis. Thanks to Sacolick\u2019s hands-on experience with development teams, he\u2019s able to offer a trove of practical remediations for developer managers to embrace, from explicitly documenting code security acceptance criteria to ensuring version control repositories are fully locked down.The SolarWinds fiasco has proven that enforcing such policies is no longer optional. Coverage of the attack has focused on the backdoor that Russian hackers inserted in SolarWinds\u2019 Orion products, instantly compromising customers who installed the software. Less attention has been paid to the custom malware the hackers created to slip into SolarWinds development process undetected and implant that backdoor. Can any software development shop say with confidence that it can withstand such a sophisticated, concerted effort?Software firms are asking themselves that question right now \u2013 while at the same time governments and private enterprises seen as high-value targets are furiously vetting their operations to see if they\u2019ve fallen victim to other compromised code. True, this is merely the latest battlefront against a global horde of cybercriminals, from script kiddies to malicious hackers to state-sponsored masterminds. But no one can accept anything other than the strongest defenses affordable in a war without end.