30 Aug Why You Should Develop A Security-by-design Approach To Cyber Strategy And Architecture
Know more of our RISK & CYBERSECURITY capabilities.
Cyber-security threats have been prevalent in every online space almost since the inception of the internet. In fact, these threats have only increased in number and complexity as our lives move increasingly online.
According to the EY Global Information Security Survey conducted in 2020, however, 64 percent of companies aren’t putting the right security measures in place until something goes wrong – and when they do, it often comes at a high cost.
A security-by-design approach is crucial to mitigating these risks and protecting your business from potential cyber-attacks. By taking a proactive approach to security, you can ensure that your systems are designed and built with security in mind from the ground up.
What is the security-by-design approach?
The security-by-design (SbD) approach is based on the principle of defense in depth, which advocates for multiple layers of security to protect against various threats. It’s a methodology that prioritizes security at every stage of the development process, from planning and design through to implementation and maintenance.
SbD integrates security into the very DNA of an organization, rather than treating it as an afterthought.
Why is a security-by-design approach important?
There are many reasons why a security-by-design approach is so important, but perhaps the most important is that it helps to prevent vulnerabilities from being introduced in the first place. By taking a proactive and holistic approach to security, you can avoid common mistakes that can leave your systems open to attack.
Point-in-time security simply isn’t enough anymore. With the rate of change in technology today, new vulnerabilities are being discovered all the time. A security-by-design approach helps to future-proof your systems by taking into account known risks as well as those that haven’t been discovered yet.
What’s more, the traditional perimeter-based security measures don’t work as well in today’s cloud-based world. The approach only focuses on protecting the network perimeter, rather than individual devices and data. A security-by-design approach, on the other hand, can help to protect your data wherever it resides.
Security-by-design: the benefits
More and more organizations are adopting the security-by-design ethos, for the simple reason that it is far more effective. So what are the specific benefits of this approach?
Security over secrecy
In the past, the act of securing crucial data, technology, and systems has relied heavily upon keeping them secret; the more people who know about them, the greater the risk of a breach. Security-by-design flips this logic on its head, instead advocating for transparency and collaboration.
Why is this more effective? Well, secrecy is always able to be cracked if enough time and effort is put in. And, as we’ve seen time and again, no organization is immune to being hacked. A security-by-design approach helps to build trust between organizations and their stakeholders, which is crucial for long-term success.
Internal solutions
A system under attack must rely on its own defenses; external measures are often too late to the scene, so if the computer itself can’t resist the attack, the data is likely already compromised. Internal solutions are much more effective at stopping attacks before they happen.
Security-by-design ensures that the systems themselves are always equipped with solutions to any problem. This way, if an attack does manage to penetrate the system, it will be quickly stopped and contained before any serious damage can be done. It doesn’t matter if the security team gets alerted too late; the system will have already protected itself.
Empowering employees
Employees are often the weakest link in an organization’s security. They can unwittingly expose systems to attack through their own behavior, whether it’s clicking on a phishing email or using weak passwords. However, they can also be a powerful asset in the fight against cybercrime.
A security-by-design approach empowers employees by giving them the tools and knowledge they need to stay safe online. They can be your first line of defense against attacks, and they can help to spread awareness of good security practices throughout the organization.
Does it cost more to implement such a process?
The general consensus is that security-by-design does hold more value for an organization in the long run. Cybersecurity is an investment, and like any investment, there are risks and rewards associated with it.
When you factor in the costs of a data breach (e.g., loss of customers, damage to reputation, legal fees), the expense of implementing a security-by-design approach is much more palatable. Not to mention, the cost of compliance is only going to increase as new regulations are enacted (e.g., GDPR, CCPA).
Note, however, that the most value is going to be gained from this approach when implemented at the very beginning of a project development lifecycle. That’s because security-by-design puts security measures around every part of the project, from the team working on it to the code itself. The sooner you start, the more value you’ll get from it.
What will change in terms of capability, strategy, and architecture?
To understand exactly how the security-by-design approach will change your strategy and architecture, it’s helpful to consider the principles outlined by The Open Web Application Security Project (OWASP),
- Minimize attack surface area. Access should be limited as much as possible in the coding phase, as it becomes more difficult for an attacker to find and exploit vulnerabilities. Example: use an API instead of a GUI.
- Establish secure defaults. Applications should be secure by default – not as an afterthought. Example: have all security settings tuned to maximum security when they’re installed, even if the user weakens them later on.
- Least privilege. Users should only be given the permissions they need to do their jobs, no more and no less. Example: if a user doesn’t need admin privileges when web building, don’t grant them.
- Defense in depth. A layered security approach should be taken, with multiple lines of defense. Example: use multi-factor authentication on top of password protection.
- Fail securely. Failures happen all the time in software use, but no failure should ever result in a security weakness, or in granting more privileges than were intended. Example: if a user fails authentication, don’t let them in, and don’t give them any clues about why.
- Don’t trust services. If your software uses third-party apps to obtain data or perform actions, don’t assume that those services are secure. Example: use SSL/TLS to encrypt data in transit to and from third-party services.
- Separation of duties. Assume that all employees are capable of fraud, no matter how trustworthy – and therefore, only grant them the access they need for their job. Example: don’t give customer service reps access to back-end systems.
- Avoid security by obscurity. As mentioned previously, it is ineffective to rely on secrecy to protect your systems. All it takes is one person with malicious intent to find and exploit a vulnerability.
- Keep security simple. The more complex your security measures are, the more difficult they are to understand and edit, which makes them more likely to fail. Keep security measures as simple as possible, while still being effective. Example: use a standard salted hash to store passwords instead of a custom encryption scheme.
- Fix security issues correctly. Never use band-aid solutions to fix critical problems – get to the root every single time. Make sure to also test for regression after making a fix, to ensure that the problem doesn’t come back.
As you can see, applying these principles will influence the architecture and strategy of your security. Most of the time, you’ll actually be simplifying your security posture, which will make it more effective and easier to manage.
Ultimately, there is no denying that shifting to the security-by-design approach is an investment of time and money, and it will shift the way your organization does business.
But the benefits – a more streamlined and effective security posture, increased customer trust, and avoidance of costly breaches – make it an investment well worth taking.
Know more of our DIGITAL & ICT STRATEGY capabilities. Digital and ICT strategic planning is the process of creating
Know more of our RISK & CYBERSECURITY capabilities. The National Institute of Standards and Technology (NIST) is responsible for
Know more of our RISK & CYBER SECURITY capabilities. In today's market, every business is connected to a network
Know more of our IMPLEMENTATION capabilities. Every savvy business owner knows that to be successful they must constantly evaluate
- Tech Your Business Podcast - 26 February 2024
- Security Market Watch Podcast - 26 February 2024
- The Business Octopus Podcast - 15 February 2024
The complex organisation required a new IT Strategy and also a Business Transformation Strategy and support fo
This growing organisation services high-risk industries and wanted to get ahead of increasing cybersecurity ex
State Water Corporation (SWC) was NSW’s rural bulk water delivery business that maintains, manages, and oper