The approach, which embeds security into digital products and services from their conception, makes solutions less prone to attacks, reduces costs and offers an opportunity to bring customers closer.
To develop a digital product without considering security as a component from the outset is likely to get you off to a bad start. Few managers or IT professionals would dare to disagree, although experience shows that most don’t actually take action. Maybe if they realized that security by design adds value to solutions and goes beyond the need to prevent hacking and data theft, they would put it into practice.
Embedding security into a technological project sure has its costs and the expected return is not always clear. It’s like buying insurance — the policyholder only understands its importance when damage is done. But there is a less noticed aspect of security by design: it creates solutions that perform better, are more elegant, well-designed, prevent freezing, and are also cheaper.
Part of the flaws that need to be fixed subsequently wouldn’t even get to the business level if they were predicted at the beginning of the project. Many times security flaws in the code or in the software’s architecture are only uncovered when the product is fully developed or in the validation phase.
Moreover, certain breaches in a software cannot be solved with “quick fixes”. They could even be implemented, but besides not eliminating risks completely, they may create these so-called “frankenstein” codes — full of patches and oddities. Future managers and developers working with this solution would have to deal with that.
Thus, it is possible that security by design will gradually become a competitive advantage for IT service companies, as customers will increasingly demand it, whether to ensure compliance with security policies or meet legal and regulatory requirements like the GDPR (General Data Protection Regulation). Also to protect their most important asset — the customer.
It goes without saying that every customer expects a secure project, even when they don’t tell you outright. Nobody wants to own a product or service full of holes, where “mice”, aka hackers, can break into. The digital world is becoming increasingly complex as people generate and entrust a huge amount of data to companies. So it’s only natural for customers, even those who have a long history with the company, to demand more from IT service providers.
This is where another great security by design opportunity comes in: gaining your customers’ trust. If the provider is able to eliminate concerns by strategically involving a specialized security team in a project from the ground up, the project will be different — and much better.
That’s the reason why Cinq has been highlighting the importance of security from the very beginning of each project — from the highly delicate ones, involving methods of payment for instance, to simple buttons or data display screens. For us, building security into all levels of products and services has become a pillar.
We have an information security team who is most willing to strategically take part in project conception, not limiting themselves to small consulting tips on problems or specific concerns, but instead adopting security principles from the early stages of architecture development.
It’s a cultural process of awareness, therefore complex and gradual. A process that is worthwhile, once it changes the way companies perceive information security, making it more strategic and organic.
Paulo Murer – head of cybersecurity at Cinq