Security by Design is a proactive, pragmatic, and strategic approach that seeks to consider risk and embed security from the outset, and at every stage of a new initiative. The security “shift left” facilitates collaboration amongst development and security teams using iterative and continuous development methodologies to discuss, design and implement security controls, reducing not only security risk, but also longer-term costs. By applying Security by Design principles, organisations can integrate appropriate countermeasures into solution designs and architectures, avoiding the higher costs that would arise should these requirements only be identified during implementation, test, or worse still, in production.
“Where cybersecurity is involved from the start – focussed on security and privacy by design – there is an opportunity to work with regulation and compliance in mind from the beginning, rather than having to reverse-engineer it,” advised Carol Murphy, EY Ireland Consulting Partner and Head of Technology Risk.
Five steps to secure by design
To respond appropriately to the challenges posed by an ever-changing threat-landscape, organisations must start to consider Security by Design in their SDLC, aligning security-related processes and activities with development activities, and promoting collaboration between security and development personnel. Risk cannot, and need not, be avoided altogether but, by recognising potential pitfalls early, risk-appropriate security decisions and controls can be adopted, resulting in an overall more cost-effective solution delivery process.
Here is what organisations can do to embed Security by Design into their digital transformation initiatives:
- Establish a Security by Design framework and principles so that there is an understanding of how and when a Security by Design approach is required.
- Establish processes to ensure that security risks are identified early, assessed continuously, and managed appropriately
- Conduct security workshops with business and security teams. Use these to develop threat models to identify a common perspective of key risks to be managed through the technical solution and supporting processes under development.
- Provide stage-gates and decision points at different phases to ensure that no progress decision is made without an assessment of risk.
- Implement tools and controls, supported by automation, to limit process deviation and increase efficiency.
By following a Security by Design approach, organisations can identify critical risk-based requirements up front. These can provide a reliable, repeatable base for broader use. The consideration and use of Threat Intelligence (TI) and modelling, Zero-Trust (ZT) architectures, Secure Access Service Edge (SASE), Data Loss Protection (DLP) and Security Orchestration and Automation Response (SOAR), as well as traditional security mechanisms such as firewalls, Intrusion Protection Systems (IPS) and Security Incident and Event Management (SIEM) are now even more essential.
New approaches, such as DevSecOps, allow faster delivery of change in the digital paradigm and require faster, more secure delivery mechanisms. DevOps tools help businesses to innovate at speed. DevSecOps, if deployed strategically, can elevate compliance maturity levels, boost productivity, and reduce time to market. DevSecOps supports continuous innovation that requires a strong security underpinning. It builds security into products and helps automate cybersecurity practices so that they are utilised for continuous deployment.
Earlier you ‘shift left,’ the better
No matter where you are on your digital journey and whatever delivery methodology you are using, the basic concept of planning and requirements definition, design, test, and build remain unchanged. By keeping to these basics and ensuring the security requirements remain relevant, organisations can mitigate the increased security risk presented by digital transformation in a controlled manner. In addition, this approach allows all project stakeholders to remain comfortable with the specific methodology variances of design, build and test.
Today’s transformative age no longer consists of simple niche innovations. These are now global networked systems which will themselves become interconnected and will increasingly form the basis of everything we do day-to-day. The new normal demands that organisations develop and use modern technologies to adopt a Security by Design approach and start “shifting left” to consider security earlier in the development pipeline. Those who fail to do so may reduce their competitive advantage, compromise their regulatory position, and increase their risk exposure. A proactive, pragmatic, and strategic approach that considers risk from the outset – rather than as an afterthought – can make the difference between those who stagnate and those who thrive in the digital transformation age.