August 4, 2014 By Rick M Robinson 2 min read

If you want to make sure visitors to a building are properly checked in at the front door, the best time by far to arrange for this security precaution is at the initial design stage. This is when the front entry can be designed to be secure, practical and inviting, and other entrances can either be eliminated or appropriately secured.

Unsurprisingly, the same principle applies to cyber security, privacy protection and all-around system quality. The time to get these things right is when a system is initially designed because security, privacy and quality can then be built right into the system’s architecture. Trying to retrofit them later on is not impossible, but it is guaranteed to be more difficult and open up more opportunities for error.

Legacies Happen, but the Future of Cyber Security Begins Today

Truthfully, in the real world, we do not always get to start with a clean slate. In the same way companies must use existing buildings, they must often use existing legacy systems — and they often pay a heavy price for it. As Amanda Vicinanzo reports at Homeland Security Today, both private and public organizations continue to be stung by security breaches. All too often, they learn the hard way that they need security guidelines for implementing updates or even a security reporting plan.

Legacy systems cannot be done over from scratch, but they can be updated and upgraded. Each of these changes can serve as a starting point for security, privacy and quality. This is one of the crucial points made by Erik van Ommeren, Martin Borrett and Marinus Kuivenhoven in their new e-book, “Staying Ahead in the Cyber Security Game.”

As the authors note, “Whenever you plan a new release for this older system, you have to apply a new security pattern.”

‘It’s Not a Feature, It’s a Bug’

According to the e-book, security by design begins with the recognition that “there are circumstances when bad things happen to seemingly good software.” Or, as Tim Holman recently wrote at Computer Weekly, businesses should “start with the assumption that a cyber attack will be successful.” The only way to prevent failure is to plan for it.

The authors of “Staying Ahead” call this designing for anti-patterns, or negative use cases. Suppose, for example, that authenticated users could check their past five transactions in a mobile banking app. To build in security, it is critical for designers to also consider unwanted outcomes, such as nonauthenticated users being able to check recent transactions or authenticated users being able to check someone else’s recent transactions.

Download the complete e-book: Staying Ahead of the Cyber Security Game

Implementing security by design is a process that operates along two parallel tracks. One is technical — making sure that the code actually does what it is supposed to do. But the other track, while equally critical, is “the project management or process path, where the decisions about resolution of these requirements are tracked to satisfactory resolution.”

Only management-level initiative and follow-through can ensure this happens. When it is done properly, it will also ensure that the technical path is correctly followed. The end result will not be perfect security nor privacy protection because in the real world, these things are unattainable. However, the result will be robust protection, which is integral to the system and will build the foundation for continued cyber security improvements.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today