- Andrea Little Limbago
Technical debt frequently enters discussions as early stage and growing companies aim to balance the first-to-market demands with pushing code that will later need refactoring and improvements. In contrast, security debt is rarely a core consideration during these early stages and can lead to significant pain down the road. Security debt refers to business and development processes that treat security as an afterthought, requiring retrofitted solutions when the problems can no longer be ignored.
Security debt can be especially challenging because it requires refactoring both code and human behavior. Together, these comprise the broader security culture, which encompasses everything from software development delivery to corporate communications to internal data storage to BYOD policies and a distributed workforce. Security culture is similar to planting a tree. The best time to plant the seeds was yesterday, the second best time is today. Building a security culture from the start requires a mindset shift, but can minimize future reputational, financial, and development pain that can accompany security debt.
The Impact of Security Debt
For early stage companies, security debt may take a back seat to the more pressing demands of pushing out a product or appeasing the board. While understandable, security considerations early on can minimize major growth pains that can debilitate companies at future stages. First, once development and business processes are in place without prioritizing security, it is extremely hard to rejigger both the architecture and human behavior. Second, because larger corporations may have more mature security practices, targeted attackers often look throughout their supply chain to find the weakest link. In fact, small companies are increasingly targeted by criminal groups as both an entrance point as well as for profit. Third, small companies are also susceptible to opportunistic attacks—such as the global ransomware attacks WannaCry and NotPetya—that scan for vulnerabilities and can cause significant financial harm.
Finally, compliance is a growing challenge and increasingly costly if security is not injected as early as possible. Many new regulations require evidence of ‘security safeguards’, data breach disclosures within days of discovery, or itemized data collection upon request (i.e., right of access). Time and again, the majority of companies are ill-equipped to comply and spend significant time and resources to address the expanding data protection regulatory landscape.
Building a security culture from the start can minimize these problems with security debt. This extends well beyond awareness and must become indoctrinated across people, processes, and technology. The first step in building a security culture is establishing the foundation.
Building the Foundation
A strong security culture relies on establishing the norms that drive human behavior. A recent study by Kai Roer and Gregor Petrič demonstrates that the more a company’s security norms are understood and enforced, the stronger the security behavior and culture. Below are some first steps on the path to a robust security culture.
- Take Stock – With big data, IoT, BYOD and every other buzzword, most companies cannot easily identify all of the connected devices or applications within their network, or locate where their data resides. Importantly, for each of these, they often also don’t audit or enforce access to each of these. Understanding what needs protecting and instituting processes to locate devices and applications, and even more importantly securing the data as it travels within and across networks, is much more attainable when implementing these behaviors early on. If organizations grow without such an inventory, it becomes untenable and extremely resource intensive.
- Secure Processing – Integrating security as early in the development process as possible mitigates the majority of challenges that arise when trying to retroactively integrate security. Roughly three-quarters of IT leaders believe DevOps projects introduce security risks, and these are hard to fix retroactively. In addition to being a trending term, the DevSecOps marriage succinctly captures this notion by ensuring secure practices are injected during the first stages of software development and persist throughout.
- Don’t underestimate the human element – Identify impactful awareness programs to demonstrate that security is a team effort and a corporate priority. These can range from commercial products to simply sharing and discussing tips from the educational sources DHS provides, such as for raising awareness about phishing or social media behavior. At the same time, it is important to establish an access management policy that can evolve as the organization grows. A framework should focus on the core touchpoints; who has access to what data, apps, and devices, with controls to update these privileges as employees, customers, or partners roles change.
- Develop Secure Habits – The majority of breaches can be mitigated, if not completely deterred, by focusing on a few of the most common data compromise vectors. Encrypting data at rest and in motion, integrating multi-factor authentication, creating redundancy and segmentation of systems and data can become second nature if integrated early. Coupled with the awareness training (especially for phishing) and patch management, organizations can address over 90% of the most common data compromises.
Future-proofing against security debt
By prioritizing a security culture early, organizations can minimize security debt and establish a security culture that fosters growth and innovation, while protecting core assets. Importantly, by establishing these behaviors, organizations are well-equipped to adjust to the changing threat and regulatory landscape.
With the baseline and processes in place, organizations must continue to nurture the security culture. This can include incident response preparation to help minimize disruption. A good IR plan serves the additional purpose of framing security as a team event since it takes everyone from PR to developers to executives to execute the plan. Reinforcing a commitment to data protection—including access controls and end-to-end encryption—further helps ensure corporate assets remain protected wherever they travel and as companies expand into multi-cloud infrastructures. Finally, a range of tools can help integrate ‘security chaos’ into software development to further test resilience.
While moving from security debt to a resilient security culture certainly takes time and resources, it is attainable and the future rewards far outweigh the effort if implemented early. In fact, many organizations are gaining a competitive advantage through a security culture. By building a strong security culture, organizations can focus on innovation and growth and avoid the security debt that continues to plague most organizations today.
As Virtru’s Chief Social Scientist, Dr. Andrea Little Limbago specializes in the intersection of technology, cybersecurity, and policy. She directs Virtru’s technical content, while contributing her own research on the geopolitics of security and privacy, global data protection trends, and usable security.
Learn More about Solving Security Challenges at DevGuild: Enterprise Security
Want to learn more about security best practices? At DevGuild: Enterprise Security, CISOs from organizations like Atlassian, HashiCorp and Splunk discussed topics including “Democratizing Security from the Top Down” and “Disclosing Incidents from Routine to Breach.”