Cybersecurity is an inherently negative asset. As with any protective measure, the major challenge is to measure the value (or Return on Investment, ROI) of cybersecurity. It is significantly more difficult to make this value apparent to stakeholders: customers, users and decision-makers in the company. When all goes well, the investment in security is not really justified. When there is an attack and disaster hits, it is too late to think about fixing problems and so, the blame-game begins.
Usually, companies that have been targeted by attacks mainly focus on putting out fires, that is to recover business operations and patch the obvious holes.
Not only is security a negative asset, but is also a preventive one.
Majority of the value of the investment made in security only shows up after the security defenses catch a major attack or when companies pass a tough business audit because of proper measures. In general, the task of the Chief Information Security Officer (CISO) or another security leader for that matter is quite difficult, because they need to prepare for the inevitable without any substantial evidence to justify the budget.
That being said, it is not surprising to see many argue that security in general is a dismal industry that is not providing any stellar value to consumers, and yet demands a lot of resources.
In the early days of any industry, security isn’t usually a part of a product. When cars were first introduced, the emphasis was on functionality. Yet, a few years after the first car hit the market, the first car was stolen and security became an issue.
As a response, the first car alarm was invented. Similarly, the Internet was not designed with security in mind as it was initially a closeted and trusted research network for researchers.
As with any technology, once the major features are built and adoption is wide-spread, safety, reliability and security assume the status of bigger issues.
The problem here is that security is often looked at as an afterthought, that solves point in time problems.
When technology evolves, security solutions need to be replaced. Many argue that security should stop being a bolt-on solution and should be part of the product design and development from the very beginning.
Here’s the ‘vicious’ cycle of cybersecurity:
It is very important that all participants in software product design work together to break this cycle. Software developers need to build systems that are secure by design (especially in web application security, and secure coding).
It is imperative we see that cybersecurity teams can deliver great value to the business if they are treated as internal consultants and value centers rather than a cost center. The major problem is that developers and product managers need cybersecurity to be seamlessly integrated with product development.
The fundamental building block of secure product design is to make security a feature requirement: apply security by design, make security guardrails for the software delivery processes and finally to build a security-aware developer culture.