The pitfalls of neglecting security ownership at the design stage

For companies to avoid bleeding millions through cyber threats, they must build adaptability into their security strategy from the start while considering a range of inputs that go beyond the IT and network access aspects.

In this Help Net Security interview, Nima Baiati, Executive Director and GM, Commercial Cybersecurity Solutions at Lenovo, discusses the disconnect between development and security teams and how companies need to prioritize security and why utilizing a multi-layered strategy is the best way to secure above and below the OS.

There is a disconnect between development and security teams regarding security ownership at the design stage. Can you elaborate on why this is problematic?

Without clear ownership of security during the design stage, many problems can quickly arise. Security should never be an afterthought, or a ‘bolted on’ mechanism after a product is created.

Development teams primarily focus on creating functional and efficient software and hardware, whereas security teams specialize in identifying and mitigating potential risks. Without collaboration, or more ideally integration between the two, security may be overlooked or not adequately addressed, leaving a heightened risk for cyber vulnerabilities.

A good example is a privacy shutter for cameras in laptop computers. Ever see a sticky note on someone’s PC covering the camera? A design team may focus on the quality and placement of the camera as primarily factors for the user experience. However, security professionals know that many users want a physical solution to guarantee cameras cannot capture images if they don’t want to, and on/off indicating lights are not good enough.

What strategies can businesses adopt to ensure both development and security teams are involved from the start of a project?

Product planning and development involves many areas throughout the product life cycle. Planning activity should include defining security requirements when products are first being conceived in order to balance needs of security and data availability. This includes questions like what business are we in, who do we serve and what are their needs? If you are are a financial services firm, your customers will have critical security needs and a higher tolerance for time and activities that protect them, e.g. two-factor authentication.

Once the security requirements are documented, product development teams can establish plans to incorporate appropriate features in the new products.

The latest guidelines insist that ‘security by design’ is not just best practice but a fundamental necessity. How feasible is it for companies, especially smaller ones, to implement this?

SMBs are increasingly targeted because they are perceived to be comparatively soft targets. This trend is exacerbated by the large gap in the supply of cybersecurity professionals, so their IT departments are under pressure to do more with less.

The good news is there is a growing supply of third-party vendors that can provide a broad range of solutions endpoint security, asset management, and network security. Many of these solutions are AI-enabled and automated, so they are increasingly efficient and effective.

The challenge of course is finding the right vendors and products for your organization. Security should be tied to strategy, more organizations are moving away from procuring security solutions by pre-defined, often entrenched purchasing criteria, and moving towards an approach based on the value of security to organizations and their go-to-market models.

What key takeaways should professionals in software development and cybersecurity remember when integrating security into design?

Security has historically been regarded as more of an insurance policy than a business enabler. But it’s more important to focus on where security can play a part in the context of the value a company seeks to create for its customers.

Firms should leverage security as a business tool to support the changes they want to take place in their company, as well as to increase agility for future business-shaping events. If security is not embedded into strategy, and its merely a box-checking exercise to meet compliance goals and can prevent an organization from scaling efficiently.

For example, if a business wants to move further online, but can’t because of weak security or a poor understanding of their requirements and how to scale them as business grows, they will wait – and probably become less competitive.

Companies need to analyze what their priorities are for their business and make security decisions and investments based on those priorities. Some example areas of prioritization are: How mobile do I need my workforce to be? How important is speed of customer interactions or transactions? What geographies or market segments do we want to expand into? Etc. Answering these questions will inform a firm’s security planning, and it should occur co-currently with all the other business planning, not afterwards.