There was an interesting twist to the recent distributed denial-of-service (DDoS) attack against domain name provider Dyn that plunged huge areas of North America and Europe into internet darkness: The perpetrators didn’t directly attack the servers of their ultimate target. Instead, they compromised 100,000 small, interconnected devices with weak default passwords, building an enormous botnet that then battered the real target. In doing so, these attackers make the case for secure by design.

These incidents serve as evidence that the future of cyberattacks and threat vectors is largely unknowable. However, we do know that the threat environment is highly dynamic and unpredictable. Enterprises must prepare for the inevitable attacks by building security deeply into the requirements of applications and the platforms, as well as architectures that support them.

That’s secure by design. The principle requires IT teams to presume attacks will happen and take great care a priori to minimize the impact when a breach is discovered.

Creating Trusted Partnerships

Taking a secure-by-design approach requires organizations and their vendors to work together as trusted partners. When this happens, issues are uncovered early and costly consequences can be avoided. For example, we recently consulted with a very large financial services organization that was launching a next-generation platform, essentially supporting its entire business and its new, fully digital strategy. What we found, fortunately well ahead of the launch, was that security was not a priority in the design phase of that platform. We avoided potential major downstream issues by working with the organization to build security into the platform from the design point.

This is not a new position for IBM. We’ve been pushing secure by design for many years now. We recognize that in the era of the lean development process, security is a potentially disruptive area that affects not only the development itself, but also the entire environment and architecture where the development resides.

Many organizations are exposed from a security perspective, predominantly in their legacy environments but also in new development rollouts. Banks, for example, frequently carry large legacy architectures. These banks must assess the costs of either fully securing their architectures or proposing alternative delivery models. Often these costs outweigh the benefits. These legacy systems typically have sparse documentation, and experts have often either retired or moved on. Just how quickly can organizations move away from the vulnerabilities of legacy architectures, and toward emerging consumption models such as cloud and as-a-service models?

Cloud Security Considerations

Moving to the cloud doesn’t change the principles of secure by design. An enterprise cannot transfer the responsibility for the security of its data and applications to cloud service providers. It remains your responsibility to build security deeply into the applications you deliver.

In fact, the whole question of security in the cloud is generally a tricky one for enterprises to resolve. We recognize that, as workloads inevitably transition to the cloud, there will be an increased call for transparent cyber resiliency. Seen this way, cloud does not change the principles of secure by design.

Cloud can inject more agility into development processes, so perhaps an enterprise can more quickly leverage different security technologies in the market place. We’re seeing more reusable code around securing application program interfaces (APIs), which may drive quicker time-to-realization of security requirements in the cloud.

Make Your IT Environment Secure by Design

In any case, it’s important use secure by design early in applications and architecture development to provide the right level of security downstream in a highly dynamic threat environment. The enterprise is still responsible for the applications it writes.

IBM recently demonstrated its massive commitment to cybersecurity when it launched the X-Force Command Centers. There, IT and C-suite executives can experience simulated cyberattacks to practice responding to real-life incidents.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…