Why security by design and security DevOps are so critical to success

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

The advances made in technology throughout the past several decades have brought about an inevitable digital transformation, which companies are experiencing in today’s world. This transformation isn’t necessarily about the rise of new technology but, more so, about people’s desire for technology integration in order to make their everyday lives – and businesses – more efficient.

But what about the security of those technologies? The embedding of security controls and mechanisms is crucial to the digital transformation of a company. With the increasing number of devices equipped with SmartX internal controls, securing the applications that manage those devices is essential.

Security by Design is more than just a catch phrase; it is the essential ingredient in a secure digital transformation. As companies begin the process, the role of the CISO becomes one of technical accuracy and governance – ensuring that security control mechanisms are embedded across the board, in processes, application designs, devices controls, systems and the fundamental architecture of each phase of transformation.

Likewise, secure digital transformation is more than just policy and procedures, and it’s not enough to simply provide oversight. The CISO must become a cybersecurity leader supporting the company’s total digital transformation.

As uncomfortable as it may be for some CISOs to step out of their designated role, they must tranform Security by Design from a “concept” into a fundamental “practice.” The CISO and his or her team must be proficient not only in governance (policy, processes and standards oversight), but also in the identification of technical control sets across the enterprise, the company’s digital landscape and its vertical lines of business.

The concept of Security by Design must be articulated and integrated at the core of the design phase so that security controls and mechanisms become the bedrock of a company’s digital transformation. Among the core design principles from a security perspective is the establishment of an Information Security Management System (ISMS) – a competency that is, ultimately, a competitive advantage, regardless of the vertical line of business.

Secure Development Operations (SecDevOps) is a new conceptual aspect of the applications-development process. From a transformative CISO perspective, the ability of the cybersecurity team to be intimately involved with the development process is critical, given the digital landscape of every company today.

Ensuring that the company’s applications and subsequent source code are secure and clean – from the initial design, to testing, quality assurance and code release – should be the primary responsibility of the CISO and the technical team. Establishing a SecDevOps structure and process into the agile development process must be fundamental in embedding security controls and mechanisms.

It’s increasingly imperative that companies embrace the concept of embedding security in everything they do – from sales presentations and value statements, to the human capital, the systems that drive the business, and the applications that are the lifeblood of the enterprise. The security of all those digital assets and frameworks are critical to success. In order to succeed, executive teams and decision makers must allow CISOs to engage in all aspects of the business and then hold them accountable.

Security shouldn’t be an afterthought. It’s always more expensive (possibly as high as 6x the initial cost) to bolt on security controls to an existing ecosystem in order to mitigate risk – especially after a breach. It will always cost less money and protect your company’s operation and reputation in the long run to build and embed security controls in systems and applications from the very start – during the ideation and design phases.