Application security is a constant concern for both companies and users. But, although vulnerabilities put corporate and customer data at risk, cybersecurity has historically been an afterthought in software development. In the early days, even the internet didn't have much in the way of security. Thankfully, over the past few years, many companies have realized the benefits of proactively including security from a project's beginning -- making it an inherent part of a product in the design phase, instead of waiting until the final build to determine its security shortcomings. Even so, too many organizations still overlook the importance of taking a cybersecurity-by-design approach throughout the entire product lifecycle -- design, build, release, maintenance and retirement. As a result, data breaches at some of the biggest organizations in the world continue to make headlines.
Business drivers like time to market and profitability usually take precedence over security, but consumers are becoming increasingly aware of the impact and consequences of a data breach and abandoning apps and services they don't trust with their information. Also, legislation such as HIPAA and the European GDPR have dramatically increased potential fines for organizations that don't enact the appropriate measures to safeguard user data.
Security teams need to hammer home the fact that their organizations are obligated to protect customer data and that the best way to do this is by adopting a proactive cybersecurity-by-design approach. They must work to reframe and promote security as a business driver -- mitigating risk upfront actually enables a business to move faster -- and, therefore, as a KPI, rather than an unnecessary drag on daily productivity.
The first challenge for security teams advocating for cybersecurity by design will inevitably be to dispel senior managers' potential doubts regarding the likelihood of cybercriminals targeting their organizations or departments. Rather than citing general statistics like "76% of organizations worldwide experienced a phishing attack in the past year," it's better to use recent examples of real-life security events and their consequences at similar organizations. Paint a picture; make them feel uneasy.
The next task will be to explain that cybersecurity by design isn't achievable through any single practice, like including security at the beginning of a project. Disregarding security in any phase of the development lifecycle means other phases inevitably inherit vulnerabilities, leading to a flawed product that exposes the organization to attack and the need for expensive remediation.
While it takes only one weak link to undermine the integrity of a product or service, secure software is well within reach. An organization needs a comprehensive security policy that has the full backing of senior management and spans all parts of the company. This policy should inform well-documented processes that make everyone responsible for proactively safeguarding data, ensuring security becomes a meaningful part of every stage of a product's lifecycle.
This shift to a cybersecurity-by-design approach to delivering products and services will incur initial and additional expenses. Budgets and deadlines will need adjustments, but consistent implementation of the new security policy will make products and services far more resistant to attack, preventing costly interruptions to day-to-day operations. This -- together with greater efficiency, compliance and responsiveness to changing business demands -- makes the case for an upfront investment.
Try using a pilot project to gauge how prepared different departments are for cybersecurity by design and to help inform a full-scale implementation roadmap. Tying responsibilities and job descriptions directly to security policies is a great way to promote the program and convince everyone this isn't just a passing trend but a vital culture shift in the age of the cloud.
A data classification exercise will enable stakeholders to see where their data is -- often a surprise -- what their risks are and where further security measures are necessary to comply with applicable policies or external laws and regulations. Metrics will be essential to monitor the effects of the extended security presence and to justify its ongoing support. Also, promote the use of a common terminology across the organization to help ensure everyone speaks the same language when discussing security.
Cultivating a cybersecurity-by-design ethos -- as well as changing processes, tools and people in the process -- can be a time-consuming challenge. Failing to commit to proactive, end-to-end security, however, is a high-risk strategy that exposes an organization to potentially crippling financial losses and irreparable damage to customer confidence. Changing how an organization views security is not an overnight process. Getting buy-in on the idea that security is everyone's responsibility is achievable, however, as long as C-level managers all actively promote the importance of security and align responsibilities and budgets accordingly. They should be only too happy to do this once they hear the case for security as an enabler of the business.
- Windows Server 2012 Security from End to Edge and Beyond –ComputerWeekly.com
- Automating Secure Software Development at Instinet –Sonatype
- Automating Secure Software Development at ASX –Sonatype