Does Security Make You Scream???
Dr. Dustin Sachs, DCS, CISSP, CCISO
??Chief Cybersecurity Technologist | ??Researcher in Cyber Risk Behavioral Psychology | ??? Building a Network of Security Leaders
Introduction
As technology evolves, it is inevitable that computer systems and networks are developed and grow organically. This means that they are built upon existing structures, adding and modifying components as necessary to adapt to the changing technological environment. This development approach is both practical and efficient, allowing for fast and flexible modifications to the system. However, it can also be challenging when it comes to implementing security measures, as the system's structure is not designed to incorporate these measures seamlessly. In recent years, there has been a trend toward the "built-in, not bolted-on" approach to security architecture, but the question remains as to how realistic this approach is for existing computer systems and networks.
The "Built-in, Not Bolted On" Approach
The "built-in, not bolted-on" approach to security architecture is based on the idea that security should be a fundamental component of the system's design rather than an afterthought (Pearlson & Huang, 2022). This approach involves integrating security measures into the system's architecture from the beginning of the development process, rather than adding them as an afterthought. The goal is to create a security system that is seamless and comprehensive, reducing vulnerabilities and protecting against cyber threats.
The challenge of implementing this approach is that many existing computer systems and networks were not designed with security in mind (Pearlson & Huang, 2022). These systems may have vulnerabilities that are not readily apparent, and implementing security measures may require significant modifications to the system's architecture. In some cases, it may be necessary to rebuild the system from the ground up to implement the necessary security measures.
Integrating Security Resources
For many organizations, rebuilding a computer system from the ground up to implement security measures is not practical. Fortunately, there are several ways to integrate security resources into existing products and architectures. These methods include:
One way to integrate security resources into an existing system is to adopt a security-by-design approach (Pearlson & Huang, 2022). This approach involves designing and building security measures into the system's architecture from the beginning. This approach can be used to modify the existing system, adding security measures as necessary. This approach requires a significant investment in time and resources but can be effective in creating a seamless and comprehensive security system.
Another way to integrate security resources into an existing system is to implement secure coding practices (Pearlson & Huang, 2022). This involves modifying the existing code to incorporate security measures, such as encryption, access control, and intrusion detection. This approach requires a significant investment in time and resources, but it can be effective in reducing vulnerabilities and protecting against cyber threats.
Organizations can also integrate security resources by using third-party security products (Pearlson & Huang, 2022). These products include firewalls, intrusion detection systems, and encryption software programs. These products can be added to the existing system to provide additional security measures. This approach is often more cost-effective than rebuilding the system from the ground up.
Conclusion
The "built-in, not bolted-on" approach to security architecture is an effective way to create a comprehensive and seamless security system. However, implementing this approach can be challenging, especially for existing computer systems and networks. Integrating security resources, such as adopting a security-by-design approach, implementing secure coding practices, and using third-party security products, can help organizations to create a more secure system without rebuilding from the ground up. It is essential for organizations to evaluate their existing systems and determine which approach is most practical and effective for their needs.
References
Pearlson, K., & Huang, K. (2022). Design for cybersecurity from the start.?MIT Sloan Management Review, 63(2), 73-77.?https://coloradotech.idm.oclc.org/login?url=https://www.proquest.com/scholarly-journals/design-cybersecurity-start/docview/2616226293/se-2
Couldn’t agree more. I attended a Cyber Symposium a few years back and had the Dept. Chair from a major university computer science program on the panel. I asked about his experience with programmers/developers and the differences between those that took security courses early-on in their program (1st or 2nd yr) vs. later (3rd or 4th). He was adamant the folks taking security courses earlier wrote more secure and less exploitable code than those that took them later. He also mentioned their “mindset” would often be security first rather than an after-thought or what do I need to do to get this code approved and pass an audit.
Senior Client Manager
1 年Great read. You are spot on!! Thanks.
??Chief Cybersecurity Technologist | ??Researcher in Cyber Risk Behavioral Psychology | ??? Building a Network of Security Leaders
1 年Dutch Schwartz....I know that in your advisor roles, you talk a lot about this topic. What are your thoughts? How can organizations who are developing in the cloud or in SaaS environments to apply "security-by-design"?
Helping organizations implement secure design at scale
1 年Great article Dustin and appreciate the shout out! Secure by design is certainly a challenge to implement (especially for those existing systems/apps). "Built-in" security is not strictly a technical challenge IMO, but also a cultural one. Creating a culture of security within the develop org can help inspire the conversation, earlier, and allow for the process/solutions you laid out to be implemented more effectively and with a better understanding of "why". With the increased focus and new automated approaches to security at design I think we are at an inflection point where the possibility of securing early and often is not only best practice, but is increasingly cost efficient/practical.
Driving Operational Excellence and Customer Satisfaction
1 年Looking forward to the next episode!