How to move to security by design: Q&A with Daltrey’s Blair Crawford

Security by design is a catchphrase that’s become popular as businesses have learnt – often the hard way – that ‘bolting on’ security at the conclusion of a project is not only an expensive and complex endeavour, but usually ineffective.

So what is security by design? And more importantly, how can you integrate it effectively? Daltrey’s Managing Director, Blair Crawford, provides the answers.

What is security by design?

It’s not a specific methodology. Rather, security by design is an overall approach that governs how security is managed.

Until a few years ago, computer systems were designed with the functional requirements as the primary consideration. Security was then added, resulting in more costs and complexity. Security by design changes that.

It is less prescriptive than a methodology. Depending on the business’s specific requirements and risks, security by design may include cybersecurity frameworks, an overall security-management plan, the security controls for each layer in your defences and operational controls.

Bottom line: security by design ensures systems are designed, built, deployed and operated with security (and privacy) addressed and maintained throughout the system’s entire lifecycle. By creating the right controls from the start, businesses can reduce security risk, proactively prevent privacy breaches and deliver end-to-end security.

When deploying cloud applications, for example, security by design includes safeguards in the account environment, strong identification, traceability, automation of security best practices, protection for data in transit and at rest, and preparation for security events.

What are the obstacles when implementing security by design?

The design and build phases of a new system are critical because they demand that the controls are incorporated correctly from the start. However, this can cause issues when people are enthusiastic and want to move ahead with the project quickly. Security by design requires thought, time and effort at these stages, however this will be less than the time and effort required to implement security later once the solution is in production.

Adding security controls later can also lead to operational complexity and make troubleshooting more difficult. For example, new ransomware variants appear regularly. A typical defensive approach is to add or update a security tool to recognise a new variant. But in a system where security by design is used, it can recognise how ransomware behaves so any variant is detected and thwarted.

During the Petya ransomware attacks in 2017, companies that took a security-by-design approach avoided major outages because their systems could detect the malicious behaviour rather than looking for the specific malware variant.

How do modern trends such as agile development and lean methodology make it easier to implement security by design?
The overall security framework should be designed in ‘iteration 0’, with each subsequent iteration building on this and addressing security controls and issues as lessons are learnt.

This is a more efficient approach to managing security by design than the traditional waterfall approach. As controls are tested and refined, confidence increases about the production system’s ability to comply with the required security standards. As a result, the product is more secure and the cyber risk is reduced.

When security by design is done right, what does it look like?

The best outcome is that security principles and controls are incorporated throughout all development stages.

Security controls should be integrated into all activities without adding operational burden. The environment should look like a well-architected security framework, with all security and privacy obligations met and monitored.

If there is a security breach, there is a process in place to deal with it. Importantly, stakeholders should have confidence that the framework and processes in place will monitor, detect and manage security issues.

What advice would you give to a business looking to move from ‘security as an aftermarket bolt-on’ to security by design?

Seek out a security SME that can work with engineers and developers to ensure all security controls and best practices are implemented from the start of a project and throughout each iteration.

The business should also commit to adopting end-to-end security and establish a security-risk-management process if one does not already exist. Roles and responsibilities must be clearly defined with appropriate security controls that address business risks and ensure compliance with regulations and laws.