Change Designers’ Values, Attitudes, and Beliefs About Security
Business executives can inform their design teams that they want them to develop cybersecurity, but that will not happen until other administrative procedures are implemented to modify the designers’ values, attitudes, and beliefs. Our methodology for fostering a cybersecurity culture outlines four actions that executives may take to influence the behaviors of their development teams and shift them toward a mentality of designing for cybersecurity.
1. Tie performance appraisals to cybersecurity. Often, development teams are rewarded for attractive product designs and speed to market rather than for safe designs, sending the obvious message that security is not a priority. According to one management, designers associated their success with getting things sent quickly rather than getting better products shipped later, even if it meant having a product returned for revision due to a vulnerability found after the offering was received.
Security metrics must be visible to leaders to affect designers’ mindsets. Yet, our research revealed that the formal assessment process was the most underutilized approach for fostering desired cybersecurity behaviors. Individual performance assessments should include criteria such as adding security design components and security controls, generating designs that pass testing gates, and engaging with security specialists to ensure that offers are as safe as possible from the early design phase. More important, leaders must be ready to delay or reject the release of digital offerings with insufficient cybersecurity built in and hold the development team accountable. This will make it clear that there are consequences for insufficient security.
2. Make heroes out of designers who engage in positive cybersecurity behaviors. Recognition may be a powerful motivation for employees, and as with performance reviews, executives frequently forget to recognize individuals who discover and resolve cybersecurity risks. This conveys an obvious but unintended statement about what the corporation values.
Employees that take cybersecurity seriously can be rewarded and recognized in a variety of ways. One manager we spoke with, for example, awarded bonuses to designers who solved a hard security challenge or drove a process that integrated cybersecurity into the company’s services. The same corporation explicitly acknowledged team members who were significant supporters of and contributors to the security of its services at an annual security conference. Another organization highlighted its cybersecurity heroes by inviting them to join a social network of corporate professionals. Recognizing security effectiveness may be as easy as giving an employee a “cybersecurity champion” emblem to add to their email signature. By doing so, leaders send a clear message that they value cybersecurity behaviors and publicly acknowledge them.
3. Train designers on security in addition to using experts and safety nets. Designers told us they were not focused on the cybersecurity of their designs because others in the organization knew more than they did and would catch any issues later in the development process. This is not an attitude companies should encourage. Designers need basic training on how to design for cybersecurity and should be reminded that it is their responsibility. Agile development processes must also include stories based on cybersecurity requirements. This both highlights the need for secure offerings and provides a platform for assessing whether cybersecurity was built in from the beginning. Safety nets, testing activities, and experts in secure development life-cycle processes are still needed to supplement the initial security designs, but designers must have enough knowledge to do the first pass. (See “What Product Designers Should Know About Security.”)
4. Deliver strong and frequent messages to increase awareness of cybersecurity needs. Designers may not realize it’s their job to develop elegant, cost-effective, secure offerings. This might sound counterintuitive to managers who believe they have communicated this priority. But our research shows that the security message can get lost in the complexity of product design and the many messages designers hear. Leaders need to build a communication plan to consistently reinforce the importance of creating cybersecure offerings. This can include facilitating short discussions or presentations at team or organization meetings, launching funny and engaging campaigns to make the message memorable, or even using traditional marketing techniques to change hearts and minds. The key action here is to continually remind everyone involved in the product development process how important cybersecurity is so that they internalize that belief and align their personal attitudes with the need to develop secure offerings. One leader to whom we suggested this action commented that he had never thought to voice the importance of cybersecurity in product design because he assumed his team already knew it. Upon reflection, he realized that he could not overcommunicate this message.
Many businesses are generating new income streams as a result of digital goods, but each digital product introduces new cybersecurity threats that must be addressed. By include “design for cybersecurity” as a major design criterion from the start of the process, designers will be reminded of the value and necessity of secure services. Showing that your company provides safe products is becoming increasingly crucial, and it may even provide a new competitive edge.
Building in cybersecurity earlier in the design process makes the whole product development process more effective. It avoids the additional work, increased costs, and delays caused by last-minute reviews or testing while making it less likely that cybersecurity issues will arise later down the road. And that should make company leaders — and their customers — sleep more soundly at night.