December 22, 2016 By Paul Garvey 3 min read

There was an interesting twist to the recent distributed denial-of-service (DDoS) attack against domain name provider Dyn that plunged huge areas of North America and Europe into internet darkness: The perpetrators didn’t directly attack the servers of their ultimate target. Instead, they compromised 100,000 small, interconnected devices with weak default passwords, building an enormous botnet that then battered the real target. In doing so, these attackers make the case for secure by design.

These incidents serve as evidence that the future of cyberattacks and threat vectors is largely unknowable. However, we do know that the threat environment is highly dynamic and unpredictable. Enterprises must prepare for the inevitable attacks by building security deeply into the requirements of applications and the platforms, as well as architectures that support them.

That’s secure by design. The principle requires IT teams to presume attacks will happen and take great care a priori to minimize the impact when a breach is discovered.

Creating Trusted Partnerships

Taking a secure-by-design approach requires organizations and their vendors to work together as trusted partners. When this happens, issues are uncovered early and costly consequences can be avoided. For example, we recently consulted with a very large financial services organization that was launching a next-generation platform, essentially supporting its entire business and its new, fully digital strategy. What we found, fortunately well ahead of the launch, was that security was not a priority in the design phase of that platform. We avoided potential major downstream issues by working with the organization to build security into the platform from the design point.

This is not a new position for IBM. We’ve been pushing secure by design for many years now. We recognize that in the era of the lean development process, security is a potentially disruptive area that affects not only the development itself, but also the entire environment and architecture where the development resides.

Many organizations are exposed from a security perspective, predominantly in their legacy environments but also in new development rollouts. Banks, for example, frequently carry large legacy architectures. These banks must assess the costs of either fully securing their architectures or proposing alternative delivery models. Often these costs outweigh the benefits. These legacy systems typically have sparse documentation, and experts have often either retired or moved on. Just how quickly can organizations move away from the vulnerabilities of legacy architectures, and toward emerging consumption models such as cloud and as-a-service models?

Cloud Security Considerations

Moving to the cloud doesn’t change the principles of secure by design. An enterprise cannot transfer the responsibility for the security of its data and applications to cloud service providers. It remains your responsibility to build security deeply into the applications you deliver.

In fact, the whole question of security in the cloud is generally a tricky one for enterprises to resolve. We recognize that, as workloads inevitably transition to the cloud, there will be an increased call for transparent cyber resiliency. Seen this way, cloud does not change the principles of secure by design.

Cloud can inject more agility into development processes, so perhaps an enterprise can more quickly leverage different security technologies in the market place. We’re seeing more reusable code around securing application program interfaces (APIs), which may drive quicker time-to-realization of security requirements in the cloud.

Make Your IT Environment Secure by Design

In any case, it’s important use secure by design early in applications and architecture development to provide the right level of security downstream in a highly dynamic threat environment. The enterprise is still responsible for the applications it writes.

IBM recently demonstrated its massive commitment to cybersecurity when it launched the X-Force Command Centers. There, IT and C-suite executives can experience simulated cyberattacks to practice responding to real-life incidents.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today