December 22, 2016 By Paul Garvey 3 min read

There was an interesting twist to the recent distributed denial-of-service (DDoS) attack against domain name provider Dyn that plunged huge areas of North America and Europe into internet darkness: The perpetrators didn’t directly attack the servers of their ultimate target. Instead, they compromised 100,000 small, interconnected devices with weak default passwords, building an enormous botnet that then battered the real target. In doing so, these attackers make the case for secure by design.

These incidents serve as evidence that the future of cyberattacks and threat vectors is largely unknowable. However, we do know that the threat environment is highly dynamic and unpredictable. Enterprises must prepare for the inevitable attacks by building security deeply into the requirements of applications and the platforms, as well as architectures that support them.

That’s secure by design. The principle requires IT teams to presume attacks will happen and take great care a priori to minimize the impact when a breach is discovered.

Creating Trusted Partnerships

Taking a secure-by-design approach requires organizations and their vendors to work together as trusted partners. When this happens, issues are uncovered early and costly consequences can be avoided. For example, we recently consulted with a very large financial services organization that was launching a next-generation platform, essentially supporting its entire business and its new, fully digital strategy. What we found, fortunately well ahead of the launch, was that security was not a priority in the design phase of that platform. We avoided potential major downstream issues by working with the organization to build security into the platform from the design point.

This is not a new position for IBM. We’ve been pushing secure by design for many years now. We recognize that in the era of the lean development process, security is a potentially disruptive area that affects not only the development itself, but also the entire environment and architecture where the development resides.

Many organizations are exposed from a security perspective, predominantly in their legacy environments but also in new development rollouts. Banks, for example, frequently carry large legacy architectures. These banks must assess the costs of either fully securing their architectures or proposing alternative delivery models. Often these costs outweigh the benefits. These legacy systems typically have sparse documentation, and experts have often either retired or moved on. Just how quickly can organizations move away from the vulnerabilities of legacy architectures, and toward emerging consumption models such as cloud and as-a-service models?

Cloud Security Considerations

Moving to the cloud doesn’t change the principles of secure by design. An enterprise cannot transfer the responsibility for the security of its data and applications to cloud service providers. It remains your responsibility to build security deeply into the applications you deliver.

In fact, the whole question of security in the cloud is generally a tricky one for enterprises to resolve. We recognize that, as workloads inevitably transition to the cloud, there will be an increased call for transparent cyber resiliency. Seen this way, cloud does not change the principles of secure by design.

Cloud can inject more agility into development processes, so perhaps an enterprise can more quickly leverage different security technologies in the market place. We’re seeing more reusable code around securing application program interfaces (APIs), which may drive quicker time-to-realization of security requirements in the cloud.

Make Your IT Environment Secure by Design

In any case, it’s important use secure by design early in applications and architecture development to provide the right level of security downstream in a highly dynamic threat environment. The enterprise is still responsible for the applications it writes.

IBM recently demonstrated its massive commitment to cybersecurity when it launched the X-Force Command Centers. There, IT and C-suite executives can experience simulated cyberattacks to practice responding to real-life incidents.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today