Point of View Security by Design Know More
VIEWPOINT
SECURITY BY DESIGN
Good security wins customers, empowers employees and streamlines compliance. However, most organizations continue to view security as just a technology issue. Instead, CXOs must work with business and technology leaders to design security into systems, processes and people from the start. To get there, companies must remember that their enterprise is just one node in a larger network. Global spending on cybersecurity in place. As the threat landscape has become easier to hack into an products and services will exceed $1 increases due to massive digitization organization, steal its secrets or create trillion cumulatively over the period across industries and the integration havoc with its data systems. Employees from 2017 to 2021.1 It will account for of “internet of things” and operational can now work on their own portable 10% of overall IT spending in 2020.2 technology with IT, this ‘people devices, including smartphones, and process’ element is now more tablets and laptops. This “bring your important than ever. own device” movement is accelerating Secure by design reduces overall the development of a market that is Done effectively, this more holistic projected to hit $367 billion by 2022, cybersecurity risk and cost of “secure by design” approach will up from $30 billion six years ago.3 ownership while improving reduce the overall cybersecurity risk Such devices increase the exposure to from internal and external threats. customer confidence malicious applications and viruses, and Properly devised, it can also reduce disclose precious intellectual property costs and aid the organization in Even so, most companies incorporate if the device is stolen. Hackers are also increasing customer satisfaction from security into systems just before known to create trust through the use enhanced customer confidence. deployment in a bid to meet of popular applications and subtly compliance and internal security request sensitive information. Eighty- assessment criteria. More proactive A widening threat five percent of mobile apps have firms integrate security into their little to no protection, which allows systems from the very beginning. landscape with fewer criminals to continually harvest data, However, even these firms fail security experts connections and resources from the to ensure that their workforce wider business ecosystem.4 understands security protocols, As major firms strive to keep pace with The fact that large organizations are and they lack effective governance their young, mobile and connected often just a node in a wider network processes to put security controls workers, some experts say that it
External Document © 2020 Infosys Limited further increases cyber risk. Hackers testing do much to thwart attackers information disclosure, denial of often target weak links in partner and expose system vulnerabilities. service (exhausting the resources organizations. Many breaches occur Good software can be designed by needed to provide a service) and when lax security by third-party weaving in security, compliance allowing someone to do something vendors exposes system credentials, and privacy requirements into the they are not allowed to do.9 which can be used to install malware requirements documents. Security Third, every person in the company that captures credit card or other is then embedded during the ecosystem, whether employee, vendor sensitive information. With the advent architecture and design phases so that or partner, should undergo security of the cloud, internet of things and code can be released speedily with awareness training. This “second line operational technology, businesses are increased confidence. of defense” education should be more connected than ever to a wider Organizations must also ensure that easy to understand and based on network of partners, sharing ever more sensitive information is masked business terms. Negligence of security data without full assurance that proper when moved to non-production protocols is often more of a threat than security measures are in place. environments that may not have malicious behavior. Firms can segment Open-source software is also a sufficient security controls in place. their teams based on the groups at risk problem. Business software now of fraud or exposure and educate them However, beyond securing the systems comprises more than 50% of open on proper cyber procedures. themselves, firms can do six things to source code.5 Firms may be using ensure appropriate governance is in Fourth, organizations must have a outdated open-source libraries that are place and that people don’t become governance process in place for usage easy for hackers to penetrate. In fact, the weakest link in the chain. of open source software. Only security research shows that 78% of audited tested and legally vetted open source codebases contain at least one open- components should be used by source vulnerability, of which 54% are Six things all firms must do development teams. very high risk.6 These days, many businesses don’t just invent new code; many create Fifth, DevSecOps, a security-led This would all be manageable if firms devices, products, even platforms variant of the DevOps method of had the talent to instil security into based on that code. Anytime anyone software development, can be used systems and processes from the start. in the organization creates anything, to design secure code faster and more However, security experts are in short they must first come up with a security cheaply. Here, security practices, supply. One estimate predicts there architecture review process for all standards and tools automate the will be a shortfall of 1.8 million security the systems that they develop or software development life cycle workers by 2022.7 Seven in 10 software procure from third parties. This review by fusing business, development, developers are expected to write covers security considerations in the testing, infrastructure deployment secure code, but less than half receive architecture, such as authentication and operations. This reduces the time adequate training.8 and authorization encryption spent in scans and ensures compliance approaches. Senior management, with ever-stricter regulations. To aid 78% of audited codebases as high up as board level, have to in this, experts can be brought in to contain at least one open-source highlight why it’s important for the DevSecOps process to train small vulnerability, 54% of which are every company unit to adhere to teams in secure agile development. this process. They must be innovative thinkers, very high risk quick on their feet and open minded. Second, threat modeling should be With this operating model in place, carried out for very complex projects. To fight back, firms must make security security is naturally seen as an integral This process involves looking at code part of their DNA. They must upskill and critical part of a well-oiled from the perspective of a potential employees, build secure software machine. development pipelines and implement hacker and identifies threats in effective security controls across all advance. The STRIDE framework, which Finally, and most importantly, the people, processes and technologies. was first implemented by Microsoft C-suite must be involved in the to identify system entities, possible effort, and time must be invested in events and the boundaries of the developing a clear vision for what Security by design system, can be used here. This helps “secure by design” means within the firm. The function of the chief Security mechanisms such as threat in designing code that is safe from information security officer should intelligence platforms and penetration identity spoofing, data tampering,
External Document © 2020 Infosys Limited be empowered, and the officer must Firms must confirm internal systems systems or employee negligence, report to the board. Assets must be are secure by design while making business leaders must quickly learn rated on their level of importance, sure security is embedded into to speak the same language as and more investment must be plowed contracts when third parties are their security counterparts. Once into systems that are more complex on-boarded. Guidelines must be in sponsorship comes from the very or risky. place to ensure third-party relations top, employees will be invigorated to are safe. Third-party risk management ensure that systems are secure and can be used to do due diligence and will be more vigilant about how and The extended ecosystem determine the suitability of a vendor where they use devices out of office. Security by design must extend for a given task and whether they Partners will trust that their data is beyond the gates of the enterprise. It is can keep information secure. Good being carefully safeguarded beyond of great importance to remember that processes include review, monitoring corporate perimeters. Customers, for most large corporations act as a node and management communication their part, will be more loyal, resting in a much larger network of suppliers, over the entire vendor life cycle. safe in the knowledge that their data is secure. And businesses will partners, distributors and regulators. It “It takes 20 years to build a reputation view security not as a necessity but is critical then that all third parties are and five minutes to ruin it,” said Warren as a differentiator for gaining share safe to bring on board. Buffet. To ensure those five minutes of wallet. aren’t due to breaches in insecure
External Document © 2020 Infosys Limited References 1. Global Cybersecurity Spending Predicted To Exceed $1 Trillion From 2017-2021, Cybercrime Magazine 2. Businesses Use AI to Thwart Hackers, WSJ Pro Cybersecurity 3. The Future of BYOD: Statistics, Predictions and Best Practices To Prep For The Future, Forbes 4. Cybersecurity Trends in 2020: BYOD and Mobile, Technology Advice 5. How GitHub secures open source software, GitHub 6. 5 Open Source Security Risks You Should Know About, xfive 7. Confronting the Cyber Talent Crunch in Consumer Products, WSJ 8. Software Developers Face Secure Coding Challenges, Dark Reading 9. Threat Modeling: 12 Available Methods, Carnegie Mellon University
Authors Sujatha Mudulodu Harry Keir Hughes Cyber Security Practice Manager – Infosys Senior Consultant – Infosys Knowledge Institute [email protected] [email protected]
External Document © 2020 Infosys Limited About Infosys Knowledge Institute The Infosys Knowledge Institute helps industry leaders develop a deeper understanding of business and technology trends through compelling thought leadership. Our researchers and subject matter experts provide a fact base that aids decision making on critical business and technology issues. To view our research, visit Infosys Knowledge Institute at infosys.com/IKI
For more information, contact [email protected]
© 2020 Infosys Limited, Bengaluru, India. All Rights Reserved. Infosys believes the information in this document is accurate as of its publication date; such information is subject to change without notice. Infosys acknowledges the proprietary rights of other companies to the trademarks, product names and such other intellectual property rights mentioned in this document. Except as expressly permitted, neither this documentation nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, printing, photocopying, recording or otherwise, without the prior permission of Infosys Limited and/ or any named intellectual property rights holders under this document.
Infosys.com | NYSE : INFY Stay Connected