Time to demand IT security by design and default
A tumultuous geo-political landscape and increasing reliance on digital services are upping the urgency of security by design and security by default approaches. Organizations can create a stronger, safer and more secure IT community by challenging IT suppliers to do better.
Imagine the following scenario. Your old vacuum machine packs up, so you head to the shops to buy the latest model as a replacement. The salesperson persuades you to buy the Vacuumatic 3000 due to its enhanced support for social media integration and capacity to provide real-time data on your cleaning efficiency. Your problems start immediately. An embarrassing social media leak reveals to your entire friend list that you’ve never cleaned under the sofa. Then, a criminal gang infects your vacuum with ransomware and you have to pay 50 bitcoins to switch it on again. Years later, despite your terrible experience, you return to the same salesperson when you need a new vacuum and repeat the whole thing.
Few customers would put up with this level of service in any other area, but this has been largely the norm in IT. Traditionally, organizations that buy IT products and services haven’t always given due consideration to security and accept liability for significant security failings. Organizations compensate for poor security through IT maintenance and bolt-on security products, baking in the security costs (including those stemming from security incidents). But not for much longer.
Demanding better, demanding more
Faced with a more hostile international environment, security services in the UK, the US, Canada and Australia have issued a challenge to IT companies to do better through ‘Security by Design’ and ‘Security by Default’. Secure by Design aims to embed cyber security controls into the core of digital services from their inception.
Secure by default is an ethos that promotes solving security problems at the root cause rather than frantically treating the symptoms. These approaches have been mantras for security professionals for decades, yet progress to deliver has been painfully slow; vendors have prioritized quick delivery of business functionality over embedding security and taking the time to test their software.
In societies and economies increasingly underpinned by technology, Security by design and security by default are critical for all IT products and services. It’s in organizations’ self-interest to support an agenda that promotes these approaches across the IT vendor community. The question is how to develop both the mindset and supporting capabilities that enable the change.
Linking security to business strategy
Prioritizing security and delivering on business strategy have been viewed as contradictory, but in fact, they feed each other. Technology strategies increasingly identify security as a key business benefit. Security improvements actively drive positive business impacts and opportunities. For example, better coding standards among IT suppliers will reduce the costs associated with security patching.
To drive appropriate vendor selection without compromising security, mindset change within the boardroom is the first step. Building buy-in among senior leadership teams creates a foundation of support to discourage security-poor supplier selection.
Change the demand, change the supply
Organizations can send a strong message to IT suppliers by re-engineering procurement processes and legal contracts to align with secure by design and security by default approaches. Updates to procurement policies and processes can set explicit expectations and requirements of their suppliers and flag any lapses. This isn’t about catching vendors out – many will benefit from the nudge. Changes in procurement assessment criteria can be flagged to IT suppliers in advance to give them a chance to course-correct. Suppliers can then be assessed against these yardsticks. If they fail to measure up, organizations have a clear justification to stop doing business with them.
The next step is to create liability or penalty clauses in contracts that force IT vendors to share security costs for fixes or bolt-ons. This will drive them to devote more resources to security and prevent rather than scramble to cure security risks. Governments can support this by introducing laws that make it easier to claim under contracts for poor security. This includes frameworks that enable the calculation of costs associated with security incidents.
Governments can also drive change with their significant purchasing power. Collective action across industries and governments will motivate suppliers to change. Suppliers might be able to ignore the concerns of a single customer but are unlikely to withstand pressure from an aligned group.
The market is demanding more from their IT suppliers when it comes to security, and it’s incumbent upon IT suppliers to heed the call. However, this can be a collective effort. Organizations across industries and sectors can nudge suppliers in the right direction through clearly defined, documented expectations in line with Security by Design and Security by Default principles. This will help IT suppliers to up their game – before incoming IT security regulations force them to.