Security does not simply drop off the ‘to-do’ list as soon as a project is complete
When a project team sets out to implement a new IT system, all too often, the topic of security isn’t given enough consideration until it’s far too late. While common sense might dictate that security vulnerabilities are likely to be more expensive and time-consuming to fix after the fact, it is still frequently overlooked (or simply cast aside) until later in the piece. Not only does this put the project itself at risk – an unsecure system can also result in significant financial or reputational risk to the entire business.
The reason why security is routinely an afterthought is something that continues to baffle security experts. Tom Moore, Practice Manager for Australia and New Zealand at leading Wellington-based cyber security firm, Aura Information Security, explains why businesses need to adopt a ‘Secure by Design’ approach to not only minimise the likelihood of projects running into unexpected cost; but also avoid exposing the business to unnecessary risk.
Security as an afterthought
It’s true that the security aspect of any new IT system probably isn’t going to be the thing that gets the project team excited. Security relies heavily on people and process – and everyone is likely to be focused on designing and building the amazing technology rather than the security of it. Unfortunately, it’s precisely this sort of short-term thinking that leaves vulnerabilities in your IT that can be easily exploited by cybercriminals.
One example of this in action is the recent hack of American consumer credit reporting agency Equifax, where it is reported the identities of up to 44 million people were compromised. In that hack, the customer details acquired by the hackers could then be used to fraudulently open lines of credit. Equifax – a listed company – saw its stock lose 13 per cent of its value in the immediate aftermath.
Despite the constant barrage of highly public security compromises, and the significant financial and reputational impact they have, the level of maturity and awareness relating to the business risk that information security represents is mixed at best. Government tends to be somewhat ahead of the game, however much of the private market is immature with a tendency to rush into delivering the functionality desired by the business.
Unfortunately, for many businesses it often takes a negative experience to put the topic of information security on the agenda. Our team is regularly called upon at the eleventh hour to help remediate security vulnerabilities that could have easily been fixed much earlier in the project – often under the watchful eye of a project manager whose deadline and budget is fast approaching, or well passed.
When you buy a car, you expect the manufacturer has considered safety features such as seatbelts and airbags before they started thinking about performance and aesthetics. The same should apply when implementing a new IT system.
Why be ‘Secure by Design’?
By adopting a ‘Secure by Design’ approach, businesses can identify security risk in the early stages, and remediate vulnerabilities when it is most cost and time effective. Essentially, ‘Secure by Design’ is about proactively managing your information security risk throughout the project, which in turn enables you to deliver a secure outcome to your business.
Think of it this way: Imagine trying to retrofit seatbelts, airbags, and crumple zones to the design of your car – sounds hard, doesn’t it? When you buy a car, you sort of expect that the manufacturer has considered all of those safety features before they started thinking about performance and aesthetics. The same should apply when implementing a new IT system.
Thankfully, the message does seem to be getting through. In a recent Kordia survey of 225 IT decision makers, more than half of all respondents who were directly involved in the design process of new web-applications stated that security was usually only considered in the middle of the design process or later. However, of those, almost 90 per cent said they saw value in engaging security experts earlier in the process.
The security lifecycle
Whenever you implement something new, or make a significant change, you run the risk of introducing security vulnerabilities. ‘Secure by Design’ aims to give businesses’ visibility of these risks as early as possible, so they can manage them most effectively.
‘Secure by Design’ should start around the whiteboard at the project kick-off meeting, when you are discussing solution requirements and desired business outcomes. By doing this you can not only ensure you are making good security design decisions, but also be assured that you are building your IT in a secure way. Essentially, if you’ve done it right then the security testing phase should not uncover any security show stoppers that you didn’t already know about.
It’s worth noting that being ‘Secure by Design’ isn’t just a one-off.
Security does not simply drop off the ‘to-do’ list as soon as a project is complete, it falls into a security lifecycle. IT systems are not static – they get designed, built, tested and deployed. They get modified and patched, and they have an operational life. All IT systems have an inherent risk that needs to be managed as part of business as usual – with monthly reporting, regular penetration testing and routine scrutiny for any changes to the risk profile.
Consider ‘Secure by Design’ as a four-phase process.
First, the ‘Design’ phase where potential security risks are identified by software and infrastructure security architects.
This is followed by the ‘Build’ phase, in which our consultants help you check that you are building your systems in a secure way.
Next, the team carries out an end-to-end penetration test to ensure any remaining security flaws are remediated and you have full visibility.
Finally, the ‘Operate’ or business as usual phase, where ongoing analysis, reporting and security optimisation occurs for the duration of the system’s operating life.
You’re only as strong as your weakest link
In many cases, the success of a project is judged on a range of criteria, two of which include whether it came in on budget, and whether it was delivered on time.
For the most part, project owners can plan ahead, troubleshoot and assign roles to ensure things stay on track. However, without addressing the need for security early in the project, businesses are missing a glaringly obvious barrier to project success.
If you don’t have visibility of the information security risk you are introducing then you are potentially leaving your business’ crown jewels on a silver platter for cybercriminals.
Remember, it’s better to discover any security vulnerabilities before the hackers do.
Tom Moore is practice manager for Aura Information Security’s New Zealand and Australian operations.
Send news tips and comments to firstname.lastname@example.org
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.