December 22, 2016 By Paul Garvey 3 min read

There was an interesting twist to the recent distributed denial-of-service (DDoS) attack against domain name provider Dyn that plunged huge areas of North America and Europe into internet darkness: The perpetrators didn’t directly attack the servers of their ultimate target. Instead, they compromised 100,000 small, interconnected devices with weak default passwords, building an enormous botnet that then battered the real target. In doing so, these attackers make the case for secure by design.

These incidents serve as evidence that the future of cyberattacks and threat vectors is largely unknowable. However, we do know that the threat environment is highly dynamic and unpredictable. Enterprises must prepare for the inevitable attacks by building security deeply into the requirements of applications and the platforms, as well as architectures that support them.

That’s secure by design. The principle requires IT teams to presume attacks will happen and take great care a priori to minimize the impact when a breach is discovered.

Creating Trusted Partnerships

Taking a secure-by-design approach requires organizations and their vendors to work together as trusted partners. When this happens, issues are uncovered early and costly consequences can be avoided. For example, we recently consulted with a very large financial services organization that was launching a next-generation platform, essentially supporting its entire business and its new, fully digital strategy. What we found, fortunately well ahead of the launch, was that security was not a priority in the design phase of that platform. We avoided potential major downstream issues by working with the organization to build security into the platform from the design point.

This is not a new position for IBM. We’ve been pushing secure by design for many years now. We recognize that in the era of the lean development process, security is a potentially disruptive area that affects not only the development itself, but also the entire environment and architecture where the development resides.

Many organizations are exposed from a security perspective, predominantly in their legacy environments but also in new development rollouts. Banks, for example, frequently carry large legacy architectures. These banks must assess the costs of either fully securing their architectures or proposing alternative delivery models. Often these costs outweigh the benefits. These legacy systems typically have sparse documentation, and experts have often either retired or moved on. Just how quickly can organizations move away from the vulnerabilities of legacy architectures, and toward emerging consumption models such as cloud and as-a-service models?

Cloud Security Considerations

Moving to the cloud doesn’t change the principles of secure by design. An enterprise cannot transfer the responsibility for the security of its data and applications to cloud service providers. It remains your responsibility to build security deeply into the applications you deliver.

In fact, the whole question of security in the cloud is generally a tricky one for enterprises to resolve. We recognize that, as workloads inevitably transition to the cloud, there will be an increased call for transparent cyber resiliency. Seen this way, cloud does not change the principles of secure by design.

Cloud can inject more agility into development processes, so perhaps an enterprise can more quickly leverage different security technologies in the market place. We’re seeing more reusable code around securing application program interfaces (APIs), which may drive quicker time-to-realization of security requirements in the cloud.

Make Your IT Environment Secure by Design

In any case, it’s important use secure by design early in applications and architecture development to provide the right level of security downstream in a highly dynamic threat environment. The enterprise is still responsible for the applications it writes.

IBM recently demonstrated its massive commitment to cybersecurity when it launched the X-Force Command Centers. There, IT and C-suite executives can experience simulated cyberattacks to practice responding to real-life incidents.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today