August 4, 2014 By Rick M Robinson 2 min read

If you want to make sure visitors to a building are properly checked in at the front door, the best time by far to arrange for this security precaution is at the initial design stage. This is when the front entry can be designed to be secure, practical and inviting, and other entrances can either be eliminated or appropriately secured.

Unsurprisingly, the same principle applies to cyber security, privacy protection and all-around system quality. The time to get these things right is when a system is initially designed because security, privacy and quality can then be built right into the system’s architecture. Trying to retrofit them later on is not impossible, but it is guaranteed to be more difficult and open up more opportunities for error.

Legacies Happen, but the Future of Cyber Security Begins Today

Truthfully, in the real world, we do not always get to start with a clean slate. In the same way companies must use existing buildings, they must often use existing legacy systems — and they often pay a heavy price for it. As Amanda Vicinanzo reports at Homeland Security Today, both private and public organizations continue to be stung by security breaches. All too often, they learn the hard way that they need security guidelines for implementing updates or even a security reporting plan.

Legacy systems cannot be done over from scratch, but they can be updated and upgraded. Each of these changes can serve as a starting point for security, privacy and quality. This is one of the crucial points made by Erik van Ommeren, Martin Borrett and Marinus Kuivenhoven in their new e-book, “Staying Ahead in the Cyber Security Game.”

As the authors note, “Whenever you plan a new release for this older system, you have to apply a new security pattern.”

‘It’s Not a Feature, It’s a Bug’

According to the e-book, security by design begins with the recognition that “there are circumstances when bad things happen to seemingly good software.” Or, as Tim Holman recently wrote at Computer Weekly, businesses should “start with the assumption that a cyber attack will be successful.” The only way to prevent failure is to plan for it.

The authors of “Staying Ahead” call this designing for anti-patterns, or negative use cases. Suppose, for example, that authenticated users could check their past five transactions in a mobile banking app. To build in security, it is critical for designers to also consider unwanted outcomes, such as nonauthenticated users being able to check recent transactions or authenticated users being able to check someone else’s recent transactions.

Download the complete e-book: Staying Ahead of the Cyber Security Game

Implementing security by design is a process that operates along two parallel tracks. One is technical — making sure that the code actually does what it is supposed to do. But the other track, while equally critical, is “the project management or process path, where the decisions about resolution of these requirements are tracked to satisfactory resolution.”

Only management-level initiative and follow-through can ensure this happens. When it is done properly, it will also ensure that the technical path is correctly followed. The end result will not be perfect security nor privacy protection because in the real world, these things are unattainable. However, the result will be robust protection, which is integral to the system and will build the foundation for continued cyber security improvements.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today