An Overview of Security First
Security first is a mindset. It’s thinking about your company’s security holistically from the ground up. That means looking beyond technical considerations to see where security fits into everything from how you develop your software to the way in which you approach your business model, hiring practices and even your marketing. It’s important not just for keeping your business safe, but also as a way to differentiate your business by creating better customer experiences.
Why Security First?
Security breaches happen every day. Meanwhile reports of personal information being leaked, malware attacks, ransomware, and companies using people’s personal data inappropriately are ubiquitous. As a result, security and privacy have transformed from matters of legal risk management and compliance into requirements for business survival. That means that those companies that put security and privacy first will have a strategic competitive advantage that only increases over time.
By 2020, the global cost of cybercrimes is expected to reach $2.5 trillion.
As a high-growth software company, you can no longer view security as an operational concern that’s distinct from your product development. When security is separated from your products, it can easily become an afterthought that’s either a focus at the last minute or, worse, after a breach has already occurred. Those that keep it separate, and get caught up in a security breach, risk a loss of customer trust, a public relations nightmare and even the demise of their business.
To not only survive but also thrive in today’s insecure world, as a software company you need to make a major shift and put security at the center of everything that you do. That’s particularly true if you’re a data-rich SaaS business. Specifically, you will need to incorporate security thinking into every aspect of your business and applications. Your product development team, for example, will have to take a different approach. Your developers, who have traditionally been motivated by (and measured on) creating new features and functions, will need to start with security by building their solutions on radically different architectural and development models.
If your company is developing a new solution, you will have to choose architectures, development methodologies and processes, languages, frameworks and components that support the delivery of a highly secure solution. If you already have products and solutions in place, security risk assessments, threat modeling and market analysis will help you identify the weakest links and opportunities to add value through security investments. Doing so will also show you where to start with remediation and suggest the pace at which investments make sense. No matter what situation you find yourself in, the time to start is now.
We call this approach to developing secure solutions from the bottom up, with a company-wide understanding of its value, security first.
How Did We Get Here?
With so many technological advances helping to make the world a better place, how did they all conspire to create one of the biggest threats that industries and individuals alike will face in the years to come? It’s really the result of three factors:
1. Huge Amounts of Sensitive Data Online
Unless you live off of the grid, virtually every aspect of our lives is online. It’s not just the photos we share on Facebook or Instagram, most of our personal information — including our financial and healthcare details — is stored in software systems somewhere. While being able to access all of this data has made our lives easier and enabled many SaaS companies to deliver greater value, it has also exposed all of us to some pretty big potential risks.
2. Higher Software Complexity
Today’s software is being built in a distributed fashion, with multiple integration points and algorithmic-driven features. The shift to microservice software architectures leads to simplified deployment and delivery, and higher frequency releases. However, the trade-off is higher complexity in maintaining access to large numbers of services and the cross-service integration via APIs and contracts. Plus, decision-making is being automated thanks to the rise of algorithms in software products. Using algorithms to fuel decisions, such as what movies to recommend on Netflix, makes things more efficient and creates economies of scale. However, algorithms are complex to create and maintain, and they are vulnerable to hacking. This puts the decisions they facilitate at risk.
3. Broader Attack Surfaces
The physical world is coming online as everything goes digital and gets connected to the Internet. As a result, we’re finding that our online and offline worlds are merging with the pervasiveness of sensors in enterprise, industrial, and consumer environments such as hospitals, HVAC systems, cell phones, watches, cars, refrigerators, thermostats and water / electricity meters. Each monitoring device contributes to a broader attack surface for those wanting to get access to your data, the network you are part of or even your physical assets (office, home, car).
We don’t believe the answer is to unplug from the Internet or roll back the technology advances of the past 20 years. Instead the discussion should focus on rethinking how we go about building software platforms and applications and start to put security first.
How Security First Can Help You Disrupt Your Industry
Putting security first will not only keep your business safe, it will also help you disrupt your industry. Just think of how innovative companies are differentiating themselves by focusing on security and privacy. Apple is a great example because it has taken a very forward-thinking stance. In fact, Apple’s CEO, Tim Cook, has said, “People would like you to believe you have to give up privacy to have AI do something for your, but we don’t buy that. It might take more work, it might take more thinking, but I don’t think we should throw our privacy away.”
And Apple has lived up to those words. The company uses hardware protection of encryption keys, end-to-end encryption on iMessage and differential privacy. And it works. Zero-day exploits for iOS are now going for big bucks and Apple is getting lots of favorable reactions across the IT community.
The Principles of Security First
There are ten principles that you can use to help your company adopt security first. Those principles can be divided up using the following framework:
Differentiate on Security
To build a secure solution that your customers prefer, you need to start early and always be vigilant. You also need to ensure that everyone in your organization understands the business objectives around security and privacy, and plays the right role. Doing so guarantees that you have the best opportunity to leverage your security and privacy investments to differentiate yourself in the market, while increasing customer and company value.
Make security everyone’s responsibility.
Create new value through security and privacy.
Build on Strength
Smart security investments, technology selections and partnerships leverage the integrity and expertise of others to reduce risk, enhance trustworthiness and reduce total effort. In addition, synergies may exist between your security and functional investments. Challenge your team to find them, and you’ll increase the benefit of your investments. Building trust is hard, so focus on doing so with your customers in areas where you’re the expert. Rely on secure approaches wherever possible.
Seek out synergies between security and function.
Avoid partners that weaken your security.
Knowledge Is Power
The more you and your customers know about your security status and assumptions, the lower your risk and the higher your opportunity. Using threat models to assess potential or actual areas of risk is the best way to uncover exposures. To engender trust and generate value, help your customers understand their exposure when using your software. If you’re transparent and give them control and oversight over the data they entrust to you, you may be rewarded with access to additional data.
Always be (threat) modeling.
Give customers control and insight over their data.
You Will Be Hacked
Even with all your planning, precautions and preparations, the unexpected will happen. Don’t be caught o guard. Assume the worst; design both your software and your wider business processes to withstand attacks and practice for the day when it happens. Treat recovery as both a technical and a customer success problem and ensure you have a practical strategy to help customers recover quickly.
Design systems to reduce the impact of an attack.
Assume that reality is always worse than it appears.
Have a rapid remediation plan and practice using it.