In a recent state of the industry report, the Financial Conduct Authority presented “security by design” as a key element of cybersecurity and information security – and an essential part of companies’ digital transformation. But what does “security by design” actually look like? Who’s involved, who’s responsible, and what changes need to be made? What, in short, is to be done?
Martin C. Walker is a founding partner of the Information Defense Corporation. With twenty-five years of experience in IT and almost twenty of specialised work in information security and compliance, Martin is perfectly placed to turn the concept of “security by design” into something concrete and practical.
What is security by design?
On the face of it, says Martin, security by design is a simple concept. To him, it means giving information security a seat at the table from the very early stages of the design and development of any new process, application, or architecture. “Security by design ensures that security concepts are baked into the final product,” he explains, “rather than simply layered on like a bandage at the end.
The devil, as ever, is in the detail. Depending on the complexity of the end product, security by design can be quite involved.
For example, a multi-tenant cloud-based application – an app which is installed once and used remotely by multiple people – has some very specific infosec requirements. Data needs to be segregated between tenants (users can’t be allowed to access each others’ records). Sanitised and unsanitised third-party data also need to be screened to protect the app itself. Access needs to be secure, with strong multi-factor organisation (think of all the times you have to log in with a password, a captcha image, and a code sent to your mobile phone). The app needs to secure credentials for everyone who’s logging on remotely, and it needs to screen and reject input that may include malware or viruses. And that’s just the app itself. Information security also extends into domain names, email transport of data, and other underlying services that the app itself relies on. Without these services being secure, the app is a castle built on quicksand.
This all sounds dense and technical, but, as Martin observes, “it’s no more complex than other business functions like accounting. It’s just another speciality.” The problem is that while board members generally have a strong grasp of other business functions – they may know everything worth knowing about how to manage currency exchange risks or how to ensure safety and good workflow on a production floor – they have a much more tenuous grasp of information security concepts, not even knowing the basic sources of risk and how they should be addressed.
That problem can be addressed by ensuring that board level and senior leadership members of staff have a regular briefing that’s not necessarily technical, but helps drive home where risks are coming from and what regulatory mandates are in play. “They need a level of understanding that lets them say, ‘this is important, we need somebody on staff who understands this’,” Martin explains – even if they don’t know all the ins and outs themselves.
What stops businesses achieving security by design?
“The problem is cultural,” says Martin, “and the solution starts with accountability.” In order to properly ensure security concepts are given their due diligence, you need to create an organisational culture that considers information security to be as important as employee KPIs. Infosec metrics need to be on the same level as time to market or transactional performance.
Culture, to Martin, is “the way you think, act and communicate: in an organisation, creating a culture of information security means different things.”
To begin with, you need to establish roles, positions and policies that foster the behaviours you want to see. This can be as simple as making sure senior management actually believes in information security, introduces roles with titles that show they take it seriously, and invites the occupants of those roles to meaningful meetings.
“If the CISO is the lone voice in the wilderness crying about information security, nobody will take it seriously,” Martin explains, “but if other senior members of staff are making sure to transition into the desired culture and actually do things, its importance will be understood. It can’t be done with an eyeroll – starting with ‘we’ve got to do this’ won’t make the cultural transition.”
There are two reasons why businesses start to make this transition. First: they’re recovering from an information security breach of some kind. Second: they’ve entered a market where they’re mandated to act a certain way, or they’ve been audited and fined and told they need to act a certain way to meet standards.
This sounds like a bad thing, but according to Martin, “that’s the best place to start from.” This kind of rough start communicates that properly addressing information security is a critical activity for the business because there are real and potentially significant financial impacts to not paying due diligence. It also shows, with crystal clarity, that information security has impacts beyond ‘cyber attacks’.
You don’t have to be hacked. If you’re suddenly not able to take credit card payments because your security doesn’t meet the required standards, you’re still in trouble. Martin says it’s important to see this situation in the right light, however: “this is an enabler for business, not a roadblock. It’s a way to enter new markets in a fashion that helps the business.”
How do we instil security by design into a business?
The best approach to instil security into a business’ culture? Ensure that senior members of staff have at least a basic understanding of the sources of risk, the motivations of malicious actors, the threats facing that particular business, and the potential outcomes of any realised threats to their business. This could be achieved through regular – quarterly, perhaps – security briefings to senior staff .
Ratify a policy that establishes the responsibility and authority for managing information security risk in the enterprise, and assign that to an individual with appropriate skill level at the appropriate layer in the organisation. Martin often sees information security falling under IT, rather than existing as a parallel organisation. “In practice,” he says, “this means information security requirements are subordinate to IT requirements – features and times and costs take precedence over ‘is it secure?’”
In addition, the business should have a senior member of staff whose responsibility is the understanding and management of information security risk – in other words: a Chief Information Security Officer. Many standards and regulations, including GDPR, require that someone takes on this role on a formal basis.
For smaller organisations, this can seem like another barrier. Many companies can’t afford to hire a member of staff that has the requisite skill levels, but still recognise the need or even mandate to have that position covered. “Rather than simply assign the responsibility to an existing member of staff that may not have the necessary skills and knowledge,” Martin says, “an organisation in this position should consider contractually engaging an outside firm that specialises in this field.” An on-contract CISO is far better than an untrained CISO, or worse – no CISO at all.
Beyond this, businesses should provide training to the technical staff to raise their awareness, their level of understanding, and introduce security training for developers, system administrators and network staff – they know IT, but it doesn’t follow that they know security.
Include security-related Key Performance Indicators as part of employee performance objectives, and include information security checks or validation as stage gates in the life-cycle of any IT related function or activity. The “stage gate” part is important – information security can’t be the last thing on the agenda, as Martin went on to explain.
What kind of mistakes do businesses make when thinking about information security?
“The biggest infosec mistake is simply not thinking about it,” Martin says. The accelerating lifecycle of IT assets means that security concerns are constantly changing and updating, and too many professionals are behind the curve.
Virtual desktop environments and cloud-based services are creating elastic environments, which have a high population of virtual machines driven by transactional load. The increasing use of container technology and microservices are only creating more security issues. “As the pace of change increases,” says Martin, “it is imperative that information security considerations be pushed earlier and earlier in the lifecycle of IT projects.”
The second biggest mistake? “The development process, especially when it’s outsourced. I frequently see information security relegated to simply a penetration test at the end of the process, which of course is grossly insufficient.” A failure to take information security risks into consideration early in the development means security controls are layered on top of an existing design – they’re trying to restrict user access to vulnerabilities, rather than eliminating them altogether where possible.
“The third most common mistake I see is not understanding the motivation of malicious actors,” Martin explains. “Too many businesses think they’re too small or unimportant to be attacked, without realising that many victims of information security breaches are simply targets of opportunity.”
In real terms, this means the cyber attackers weren’t after you: you were caught in the crossfire. Once an attacker has discovered your business is vulnerable, they may not act on the vulnerability straight away – but that doesn’t mean you’re safe. “Small organisations are traded on an underground market,” says Martin: “there’s an active market for breached organisations.” Essentially, details of the data breach in your company may be sold to someone who actually wants to attack you.
Along with this, many companies confuse a malicious actor’s ability (or lack thereof) to monetise an attack on their business with the likelihood of being attacked. “Attacks are not always about money,” Martin points out, “and the impact on your business goes beyond money.” Some attackers are activists, motivated by a perceived issue of social justice; some are here to disrupt operations wherever they can, at the behest of state sponsors; and sometimes they’re still doing it because they can.
Closing thought: security is a culture
“It’s rather trite to say information security is everyone’s responsibility,” says Martin, “and to a great extent it’s not true.”
Ultimate responsibility rests with senior leadership and the board, who must create a culture where information security is valued rather than seen as a roadblock or unnecessary cost burden. At a technical level, the CISO (if one exists) and CIO have responsibility to ensure information security is part of the business, and that thinking should be filtered down to all members of the IT organisation.
For any new product, service, or application, information security metrics should be considered alongside other metrics like time to market, or transactional performance, and the IT organisation should be aware of that.
Security is a culture, and it extends through an entire business. “You can say you’re doing all these things you should be doing,” in Martin’s opinion (and ours), “but if the culture isn’t there to support it, you end up giving infosec short shrift.”