June 5, 2014
Heavybit’s Blog is Live
Heavybit is committed to educating the next generation of cloud infrastructure & developer startups. As part of our commitment to you, we’...
Technical debt frequently enters discussions as early stage and growing companies aim to balance the first-to-market demands with pushing code that will later need refactoring and improvements. In contrast, security debt is rarely a core consideration during these early stages and can lead to significant pain down the road. Security debt refers to business and development processes that treat security as an afterthought, requiring retrofitted solutions when the problems can no longer be ignored.
Security debt can be especially challenging because it requires refactoring both code and human behavior. Together, these comprise the broader security culture, which encompasses everything from software development delivery to corporate communications to internal data storage to BYOD policies and a distributed workforce. Security culture is similar to planting a tree. The best time to plant the seeds was yesterday, the second best time is today. Building a security culture from the start requires a mindset shift, but can minimize future reputational, financial, and development pain that can accompany security debt.
For early stage companies, security debt may take a back seat to the more pressing demands of pushing out a product or appeasing the board. While understandable, security considerations early on can minimize major growth pains that can debilitate companies at future stages. First, once development and business processes are in place without prioritizing security, it is extremely hard to rejigger both the architecture and human behavior. Second, because larger corporations may have more mature security practices, targeted attackers often look throughout their supply chain to find the weakest link. In fact, small companies are increasingly targeted by criminal groups as both an entrance point as well as for profit. Third, small companies are also susceptible to opportunistic attacks—such as the global ransomware attacks WannaCry and NotPetya—that scan for vulnerabilities and can cause significant financial harm.
Finally, compliance is a growing challenge and increasingly costly if security is not injected as early as possible. Many new regulations require evidence of ‘security safeguards’, data breach disclosures within days of discovery, or itemized data collection upon request (i.e., right of access). Time and again, the majority of companies are ill-equipped to comply and spend significant time and resources to address the expanding data protection regulatory landscape.
Building a security culture from the start can minimize these problems with security debt. This extends well beyond awareness and must become indoctrinated across people, processes, and technology. The first step in building a security culture is establishing the foundation.
A strong security culture relies on establishing the norms that drive human behavior. A recent study by Kai Roer and Gregor Petrič demonstrates that the more a company’s security norms are understood and enforced, the stronger the security behavior and culture. Below are some first steps on the path to a robust security culture.
By prioritizing a security culture early, organizations can minimize security debt and establish a security culture that fosters growth and innovation, while protecting core assets. Importantly, by establishing these behaviors, organizations are well-equipped to adjust to the changing threat and regulatory landscape.
With the baseline and processes in place, organizations must continue to nurture the security culture. This can include incident response preparation to help minimize disruption. A good IR plan serves the additional purpose of framing security as a team event since it takes everyone from PR to developers to executives to execute the plan. Reinforcing a commitment to data protection—including access controls and end-to-end encryption—further helps ensure corporate assets remain protected wherever they travel and as companies expand into multi-cloud infrastructures. Finally, a range of tools can help integrate ‘security chaos’ into software development to further test resilience.
While moving from security debt to a resilient security culture certainly takes time and resources, it is attainable and the future rewards far outweigh the effort if implemented early. In fact, many organizations are gaining a competitive advantage through a security culture. By building a strong security culture, organizations can focus on innovation and growth and avoid the security debt that continues to plague most organizations today.
As Virtru’s Chief Social Scientist, Dr. Andrea Little Limbago specializes in the intersection of technology, cybersecurity, and policy. She directs Virtru’s technical content, while contributing her own research on the geopolitics of security and privacy, global data protection trends, and usable security.
Want to learn more about security best practices? At DevGuild: Enterprise Security, CISOs from organizations like Atlassian, HashiCorp and Splunk discussed topics including “Democratizing Security from the Top Down” and “Disclosing Incidents from Routine to Breach.”