August 4, 2014 By Rick M Robinson 2 min read

If you want to make sure visitors to a building are properly checked in at the front door, the best time by far to arrange for this security precaution is at the initial design stage. This is when the front entry can be designed to be secure, practical and inviting, and other entrances can either be eliminated or appropriately secured.

Unsurprisingly, the same principle applies to cyber security, privacy protection and all-around system quality. The time to get these things right is when a system is initially designed because security, privacy and quality can then be built right into the system’s architecture. Trying to retrofit them later on is not impossible, but it is guaranteed to be more difficult and open up more opportunities for error.

Legacies Happen, but the Future of Cyber Security Begins Today

Truthfully, in the real world, we do not always get to start with a clean slate. In the same way companies must use existing buildings, they must often use existing legacy systems — and they often pay a heavy price for it. As Amanda Vicinanzo reports at Homeland Security Today, both private and public organizations continue to be stung by security breaches. All too often, they learn the hard way that they need security guidelines for implementing updates or even a security reporting plan.

Legacy systems cannot be done over from scratch, but they can be updated and upgraded. Each of these changes can serve as a starting point for security, privacy and quality. This is one of the crucial points made by Erik van Ommeren, Martin Borrett and Marinus Kuivenhoven in their new e-book, “Staying Ahead in the Cyber Security Game.”

As the authors note, “Whenever you plan a new release for this older system, you have to apply a new security pattern.”

‘It’s Not a Feature, It’s a Bug’

According to the e-book, security by design begins with the recognition that “there are circumstances when bad things happen to seemingly good software.” Or, as Tim Holman recently wrote at Computer Weekly, businesses should “start with the assumption that a cyber attack will be successful.” The only way to prevent failure is to plan for it.

The authors of “Staying Ahead” call this designing for anti-patterns, or negative use cases. Suppose, for example, that authenticated users could check their past five transactions in a mobile banking app. To build in security, it is critical for designers to also consider unwanted outcomes, such as nonauthenticated users being able to check recent transactions or authenticated users being able to check someone else’s recent transactions.

Download the complete e-book: Staying Ahead of the Cyber Security Game

Implementing security by design is a process that operates along two parallel tracks. One is technical — making sure that the code actually does what it is supposed to do. But the other track, while equally critical, is “the project management or process path, where the decisions about resolution of these requirements are tracked to satisfactory resolution.”

Only management-level initiative and follow-through can ensure this happens. When it is done properly, it will also ensure that the technical path is correctly followed. The end result will not be perfect security nor privacy protection because in the real world, these things are unattainable. However, the result will be robust protection, which is integral to the system and will build the foundation for continued cyber security improvements.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today