Security leaders and their organizations are under constant siege from cyberattacks. Although it’s a shocking figure, it shouldn’t be surprising that the aggregate cost of cyber fraud is projected to reach $6 trillion in 2021. The tactics hackers use are more innovative and relentless than ever, ruthlessly exploiting weak points in an organization’s security. Chief Information Officers (CIOs) are wisely investing in solutions to address cyberattacks but traditional, reactive strategies are simply an expensive game of catch-up. Organizations need to evolve their thinking around cybersecurity to stay ahead of these changing threats. A holistic approach that effectively builds security into all infrastructure and processes from the ground up is cost-effective and necessary to safeguard valuable employee and customer data. This requires an overall shift in philosophy – and adopting the concept of security by design is a key first step.
Security by design is an approach that integrates security considerations into every part of the business. This involves new software development practices, formalizing infrastructure design, automating controls and continuous compliance efforts. Successfully accomplishing this requires a mindset shift across the organization. This places CIOs in the challenging role of change agent. It’s not easy to adjust established practices, but clear communication around the value of a security by design approach will help CIOs best advocate for a transition.
Security from inception
The security by design framework gives security professionals what they’ve always wanted: developers considering security at the beginning of the development process. Rather than retroactively addressing issues, they can contribute to architecture planning from the start. The majority of successful attacks are the result of poor programming or poor software configuration practices. These problems can be more easily solved by taking security into consideration directly from the outset. If a developer includes security features as a design priority, they will be incorporated and upheld through all production stages. Systemic weakness is avoided from the very beginning.
Not only does this development process make for more secure systems, it’s much cheaper, potentially by a factor of 100 depending on the issue. The end of the development process is when time and budget constraints are most acute. Properly considering and implementing security improvements at that point is unrealistic. The security by design process creates a more resilient system where security isn’t just tacked on.
Protecting weak links
The security by design process also involves implementing measures that increase awareness of security flaws throughout an organization’s entire network – including its supply chain. Cybercriminals often exploit weaker third-party access points to illicitly enter otherwise secure networks. Vendors provide services that are key for successful digital transformation and innovation, but organizations need to be vigilant in ensuring the security policies of partners throughout the supply chain are using the same compliant processes.
As an example, many organizations rely on internet-connected appliances and objects, known as the Internet of Things (IoT). Many IoT manufacturers do not prioritize security in product design, and in some cases IoT devices are being shipped with malware pre-implanted. Although it is a major cause of concern for CIOs, recent research from the Neustar International Security Council (NISC) found that fewer than half of cybersecurity professionals have established a plan for if, or when, their IoT networks are compromised.
Put simply, organizations have to understand and monitor the dangers and threats from their supply chain, all the way from raw component vendors to shipping organizations. This requires an “always on” approach, which involves constantly monitoring for threats and testing security processes. To help security teams make sense of the information from tools that generate alerts, they should use curated threat data. All of this involves strategically selecting best-of-breed technologies that provide 24/7 monitoring and protection, along with regular scanning patches for vulnerabilities as and when they arise.
Implementing security by design requires a re-evaluation of who is responsible for the security of the business. Traditionally, CIOs and their teams were expected to independently take this on. This approach was feasible in the past, but it is no longer sufficient with the complexity of the current threat environment. Now there’s a need to embed security throughout all of a company’s operations. This means that cybersecurity is now everyone’s responsibility – from frontline staff to the development and security teams to the C-Suite.
While technical responsibility will continue to fall to the IT team and the CIO, proactively deploying modern solutions requires the right internal skills across the full organization. Companies need to put time and financial support into educating employees on identifying different types of threats and promoting proactivity. This depends on supportive stakeholders at a senior level who buy into a more comprehensive cyber defence strategy.
In addition, the risk factors must be presented to executives to ensure they understand the threats to the business and that they then support the design plan in advance. Businesses will then need to review their processes objectively, going as far as employing outside experts and undergoing industry standard audits to draw conclusions about potential weaknesses and then design and implementation recommendations.
In an increasingly aggressive cybersecurity landscape, security by design methods deliver a clear, cohesive and efficient approach to keeping organizations secure.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.