Digital transformation is famously complex: E-commerce; digital supply chains; multi-cloud environments. These are just a few of the issues that companies face in digitizing their businesses. Now add to this mix a global pandemic that’s infected 50 million people and killed 1.2 million and shows no sign of slowing. If ever there were an imperative to digitally transform, now is it.
The thing is, as companies undergo this process, they heighten their exposure to cyber-attacks. More digitization means more risk. Yet the solution isn’t to move slower. On the contrary, business leaders can move both fast and safely. The trick is to adopt a cybersecurity approach that’s holistic rather than siloed.
This approach bakes security into your systems and applications from the get-go. It takes into account not only your processes but also your people. In short, what you need is something called “security by design,” and there’s no better time to implement this practice than now, when businesses and society are being retooled at a pace and scale that’s breathtaking.
A Seat at the Table
Traditionally, cybersecurity has been seen as the department that says “no.” Cyberfolks are known for insisting on extra testing, identifying last-minute vulnerabilities, and causing cost overruns and delays. However, this reputation isn’t altogether fair. Rather, it results from the fact that cyber experts are excluded from the early stage of a project.
On the other hand, if you include these experts at the outset, design and development can be accomplished in a way that’s both more secure and more profitable. According to primary research from the Boston Consulting Group (BCG), whose cybersecurity practice I lead, such early equity cuts the amount of rework by up to 62%. Such savings reduce not only development time and cost, but also time to market.
What’s more, in gaining a seat at the table, cyber experts become pathfinders who shine a light on the quickest, most cost-effective, and securest routes. They’re no longer curmudgeons who say “no,” but collaborators who are invested in getting to “yes” — and sooner rather than after afternoon coffee break.
The Benefits
The Cloud - For companies in the midst of a cloud journey, the benefits of security by design are dramatic. Because so much of the infrastructure in cloud-based systems is created with software code, that “infrastructure as code” can be reused by hundreds of apps and checked continuously by automated “audit-robots.” This approach lowers everything from operational expenditures to audit costs, while accelerating deployment time and boosting security.
Security by design can also be used to cost effectively enable multi-cloud implementations. Here’s a quick overview: you create a universal cloud cyber framework, and for each application an “application security profile.” The application security profile assigns every application the necessary security controls, then you create a blueprint for each control.
The blueprint contains the infrastructure as code, or the manual processes needed for every cloud to be potentially used (think: Amazon Web Services, Microsoft Azure, Google Cloud Platform, Alibaba Cloud). Whenever the app is needed by a different cloud, the blueprint inserts the appropriate code, processes, and audit automation.
The advantages here are abundant: apps achieve portability among multiple clouds; they can be optimized by location. Also costs are cut and hot-standby redundancy gets enabled. Also disaster recovery becomes easier.
Hard Data
This is the hard data from BCG clients:
- The cost of development is cut by up to 20%.
- The time to implementation drops by up to 15%.
- The cost of security operations falls by up to 20%.
- The cost of compliance audits is slashed by up to 50%.
In short, not only does security by design lift your profits, it also places them on footing that’s stable. For executives, this peace of mind is priceless.
Where Do I Start?
Understanding what security by design is and the benefits it brings is only half the battle. You still need to map that approach to your business — specifically, where your organization is in its digital transformation journey. Here are the five actionable steps you can take now:
Empowerment - Invite a security engineer to every key meeting. It doesn’t matter if the topic is design, development, or something else; empower your cyberfolks to be in the transformation boat, helping to paddle faster.
DevSecOps - Add code scanning to your DevOps process so that cyber vulnerabilities are included in the backlog for remediation in the next sprint.
Pen Testing - Do continuous penetration testing of DevOps applications so that every time a new release emerges from your continuous-integration/continuous-delivery pipeline, it’s probed for vulnerabilities.
Crown Jewels - Prioritize your critical assets that, if compromised, will cause the most damage to your company. Then determine which behaviors would most likely jeopardize those assets, and focus on coaching the pertinent people to change those specific behaviors.
Incident Response Plan - You already have a plan for what happens in the case of an attack, right? Well, now you have to practice that plan with tabletop exercises. No matter how well security is designed in (or added on), most damages accrue after a breach. A well-practiced plan will soften both chaos and losses.
The bottom line: When it comes to cybersecurity, the smartest business leaders think big. They prepare for the worst. When a breach happens — and it will — shareholders, customers, and employees are grateful that executives weren’t asleep at the keyboard.