what is security first

What Is Security First and Why Does it Matter?

Yevgeniy Vahlis | Security First, Blog

This post is about security first, what it is and why it’s important. But before I can explain any of that, let me give you some broader context about security.

This past year cyber security has become a very mainstream topic, featuring in the mainstream media on a regular basis. It was even a hot topic during the recent US presidential election. The topic is no longer purely the domain of security geeks with terms like mega breaches, blockchains and end-to-end encryption making it into the news cycle.

In recent years we’ve also seen the impact of cyber attacks cross previous high water marks, going well beyond what many expected to be possible. The Yahoo! security fiasco is one example in which the company knew for several years about a massive breach of 500 to 800 million of their customers’ passwords and failed to even take the most basic step of resetting the login credentials of affected users.

The disclosure of the breach this summer (2016) during the due diligence process that Verizon undertook as part of its acquisition deal with Yahoo! has led to at the very least a significant reduction in valuation (around 20 percent), and may end up putting the entire acquisition deal in jeopardy.

Another example of a record breaking attack was the distributed denial of service (DDoS) attack against Dyn, a domain name lookup infrastructure provider and the journalist Brian Krebs. The former attack took down a number of high-profile domains including amazon.com, shopify.com and github.com for a few hours. And finally, the Jeep and Tesla hacks that allowed attackers to remotely trigger breaks on specific models of the cars.

And while many of these attacks may appear to be specific to the companies or products targeted, there are now many examples of broad, highly repeatable attacks happening. One such example is ransomware and it is taking the cybercrime industry by a storm. The total ransom payments for 2016 are set to top $1 billion, compared to $24 million in 2015. And then there are the good old data breaches that are not showing signs of slowing down: 901 breaches year-to-date as of late November.

On the positive side, we are seeing some dramatic moves by Apple, which promised to deploy an advanced anonymization technique called differential privacy to provide customers with good predictive functionality on the phone without having to syphon off private data. For its part, Microsoft is moving heavily into the encrypted database space with its support for searchable encryption in SQL Server. Meanwhile, Facebook is enabling end-to-end encryption in its main messenger product, and Google has deployed quantum-resistant cryptography with its Chrome browser.

Our conclusion is that security and privacy have transitioned from being legal risk management and compliance topics to drivers of innovation and a requirement for business survival. We expect companies that put security and privacy first to have a strategic competitive advantage that increases over time.

Given the very real threat of cyber attacks, companies are reassessing their entire security stance and are placing greater emphasis on security when they build and buy enterprise software products. In fact, a number of our portfolio companies are increasingly being subjected to vulnerability assessments and penetration testing by customers purchasing software subscriptions.

The implications for SaaS businesses are huge, forcing many to rethink the whole architecture and development lifecycle of a business product to be secure first. In other words, the buyers of software are putting security first when purchasing a subscription and SaaS companies are starting to follow suit when building products.

How Did We Get Here?

So how exactly did all of the technological advances that are helping to make the world a better place also conspire to create one of the biggest threats that both industries and individuals alike will face in the years to come? In our view, it’s really the result of three factors:

1. Huge amounts of sensitive data online. Unless you live off of the grid, virtually every aspect of our lives are online. It’s not just the photos we share on Facebook or Instagram, most of our personal information, including our financial and healthcare details, is being stored in software systems somewhere. While being able to access all of this data has made our lives easier and enabled many SaaS companies to deliver greater value (see this post on applied analytics to find out how), it’s also exposed all of us to some pretty big potential risks.

2. Higher software complexity. Today’s software is being built in a distributed fashion, with multiple integration points and algorithmic-driven features. The shift to microservice software architectures leads to simplified deployment and delivery, and higher frequency releases. However, the tradeoff is higher complexity in maintaining access to large numbers of services and the cross-service integration via APIs and contracts.

Plus, decision-making is being automated thanks to the rise of algorithms in software products. Using algorithms to fuel decisions, such as what movies to recommend on Netflix, makes things more efficient and creates economies of scale. However, algorithms are complex to create and maintain, and they are vulnerable to hacking. This puts the decisions they facilitate at risk. While not a significant issue when it comes to serving up movie recommendations, the stakes are a lot higher when the algorithm in question controls e-commerce transaction fraud or ER patient prioritization decisions.

3. Broader attack surfaces. The physical world is coming online as everything goes digital and gets connected to the Internet. As a result, we’re finding that our online and offline worlds are merging with the pervasiveness of sensors in enterprise, industrial, and consumer environments such as hospitals, HVAC systems, cell phones, watches, cars, refrigerators, thermostats and water / electricity meters. Each monitoring device contributes to a broader attack surface for those wanting to get access to your data, the network you are part of or even your physical assets (office, home, car).

We don’t believe the answer is to unplug from the Internet or roll back the technology advances of the past 20 years. Instead the discussion should focus on rethinking how we go about building software platforms and applications and start to put security first.

Rethinking Security By Putting Security First

We believe that all software companies, and data-rich SaaS companies in particular, will need to go through a paradigm shift over the next few years. Specifically, perimeter defense and the walls companies put around a solution only go so far. The best technology companies will incorporate security thinking into all aspects of their business and applications. Enterprises and consumers making security a top priority when buying a technology product will drive that shift.

The change in buyer behavior will force product development teams to take a different approach. For example, whereas developers have traditionally been motivated by (and measured on) creating new features and functions — giving little if any thought to security in the process — going forward, they’ll need to lead with security by building their solutions on radically different architectural and development models. We are already seeing examples of companies that are (re)designing the entire architecture and development of a business system to be secure first.

Not every company will have the ability to rethink security from the ground up. However for those companies with products already in the market not undertaking a redesign, there are still opportunities to get the basics of security right. That includes simple, but often overlooked, strategies such as using better encryption functionality, reducing the attack surface, enabling two-factor authentication, and a basic level of security training for developers. While these ought to be table stakes, they’re often ignored.

Companies that are starting with a blank canvas or are embarking on a redesign of their product can take a more disruptive approach. These companies will readily adopt automated security-minded development principles, tools and frameworks as these gain visibility. We’re seeing this occur within the large-scale Internet companies like Twitter, and we’re now seeing this start to happen in earlier stage companies that are prioritizing security alongside functionality in their roadmaps.

True security first companies will build their products and applications on innovative approaches for decentralized identity and data management, and parallel secure Internet models, as these architectural building blocks evolve. We also expect to see most companies increasingly adopt innovative approaches such as crowd-sourced penetration testing platforms, API-enabled cross-company threat sharing and machine learning applied to information security.

The Way Forward in an Unsecure World

Security has long been viewed as largely removed from product development and instead mostly an operational concern by high-growth software companies. When security is removed from development, it can easily become an afterthought that is focused on at the last minute or when a breach occurs.

To match customers’ expectations and to better address today’s security challenges, software companies need to design their software with security in mind from the outset. Security first has to become a company-wide priority and something that’s ingrained in the DNA of every business.

That may sound like a significant investment of time and money — and it will be in some cases — but we believe those companies that get it right and make the shift to security first, and those which help enable that shift, will come out as the winners over the long run. By preventing the otherwise unavoidable security breaches that lie ahead, they’ll be able to create even more value for themselves and their customers. That’s an approach that promises to pay big dividends in the years to come.

Want to Learn More About Security First?

To learn more about this topic, check out our recent SlideShare, “Security First: What It Is and What It Means for Your Business” below. You can also visit our new resources page “Security First: Resources to Help You Protect and Differentiate Your Company.”