5 minute read
Managing Cybersecurity threats with Security By Design
Managing Cybersecurity threats with Security By Design
The costs of adding security as an ‘afterthought’ far outweigh those associated with baking it in from the start. Security by Design just makes sense, writes Vanessa Leite CISSP, CCSP.
Vanessa Leite CISSP CCSP is a senior cybersecurity manager with over 10 years of experience leading security initiatives across different sectors. Most of her career has been in technical security positions, and she is currently in an executive role leading ANZ’s NZ Advisory and IAM functions. Cybercrime is growing exponentially and is consistent with the growth of technology adoption. Criminals have moved their operations into cyberspace and have been working on developing and enhancing their practices at a concerning pace.
Security experts have been observing a significant increase in sophistication with regard to Tactics, Techniques and Procedures (TTPs), which are patterns of activities associated to specific attacks or hacking groups. No organisation is completely safe from cybersecurity threats nowadays.
Although there is no doubt there has been a significant increase in attack sophistication, the majority of successful compromises are still due to poorly developed, configured and maintained information systems, which in reality do not require any sophisticated exploitation techniques.
According to the IBM 2020 X-Force Threat Intelligence Index, of the top ten vulnerabilities exploited in 2020, only two of these were actually disclosed in the year of 2020, suggesting organisations encounter significant difficulties with performing basic security controls such as vulnerability and patch management.
The Veracode State of Software Security v11 report states that the vast majority of applications analysed by them (76 percent) had some sort of security flaw, indicating that this is an inevitable issue and emphasising the need for strong and consistent collaboration between development and cybersecurity teams.
Making cybersecurity a core part of business strategy and the foundation for the development of applications (or any new solution) is key for managing cybersecurity threats that take advantage of these vulnerabilities. Security by Design can help organisations build more secure solutions and manage cybersecurity threats.
What is Security by Design? Security By Design is originally a principle related to the Software Development Life Cycle (SDLC) where security is intended to be designed into very early stages of a software development process. However, its concepts and applicability can be easily extended and used more broadly for the development and creation of any new solution, including business processes.
The benefits of embedding controls for protecting confidential, integrity and availability of information into early phases of a solution development process are significant. This approach has the potential of enabling organisations to implement more integrated, effective and efficient security controls.
Security by Design is not a new
concept, and it’s also behind other methodologies such as DevSecOps, where security is brought in as part of the DevOps teams, which is the backbone of the Agile Software Delivery process.
The ability for Cybersecurity teams to be so closely involved in any development or creation process is crucial for security, but also for an effective digital transformation.
However, besides the fact that Security by Design is not a new concept and has so many visible advantages, the EY 2020 Global Information Security Survey identifies that only 36 percent of organisations say cybersecurity is involved right from the planning stage of a new business initiatives.
According to the report, a market leading automotive organisation had to recall 1.4 million vehicles in 2015 after their car’s infotainment system was hacked and key control functions, such braking and steering, were proven to be vulnerable after tests from security experts.
If Security by Design can enable more secure and effective digital transformation, why have so many organisations still not fully adopted it?
Historically, cybersecurity teams have been perceived as obstacles for innovation and growth due to noncollaborative approaches, such as saying “no” all the time and throwing over the fence requirements, which tended not to take into consideration business constraints.
Security has come a long way, and today the community acknowledges that a better job needs to be done with regards to finding the balance between business and security requirements and making recommendations that are fit for purpose and take into consideration the user experience.
Nevertheless, within many organisations cybersecurity teams are still positioned as gatekeepers instead of contributors, who cooperate for a security afterthought approach instead of a Security by Design one.
But how to implement Security by Design? Security by Design is all about collaboration and thinking about what could go wrong from the start so that security issues can be addressed before the point at which the cost and time for remediation becomes disproportionately large.
Organisations looking at adopting or enhancing Security by Design should consider the following key aspects:
• Incorporate security controls into every phase of solution creation processes (e.g. SDLC). Controls should be designed in as a core part of any solution. • Establish a risk management framework so that risks are properly communicated and managed. • Have a collaborative approach.
Cybersecurity teams need to contribute to the solution too. • Balancing business with security requirements and consider user experience. Users are likely to bypass security controls that are just too hard to perform. • Establish governance processes and control gates to spot projects that are not engaging cybersecurity at the appropriate stages. • Bring in assessments, such as threat modelling, and perform them in a collaborative manner.
By doing so, cybersecurity teams can obtain a better understanding of the solution, including how it could be subverted and what controls would be necessary to stop it. • Consider controls such as access management, segmentation, logging and monitoring, configuration compliance, vulnerability management, cryptographic and resilience. • Automate as much as possible.
Organisations should be looking at standardising and automating build and update processes, configuration management, logging and monitoring, security testing.
Adopting Security by Design can be a significant change for organisations that still see cybersecurity teams as mainly as a governance function responsible for policies, standards and process oversight. Cybersecurity teams can bring a lot to the table when they work collaboratively with other business areas on the identification and design of security controls.
Afterthought security costs more, and organisations need to realise that a short-term or profit-first approach will lead to failure, which could have serious consequences to their business and customers. Security by Design has the potential to help organisations build a security risk mindset and culture from the outset, which can enable them to innovate and grow in a much more sustainable way.
