Everyone knows the significance of security in digital products and services. Consumers demand safe digital offerings, especially when they incorporate them into their own goods and services. For example, a manufacturer that incorporates a sensor into the design of a product expects the sensor to be cyber-secure and not add vulnerabilities. Any internet-connected device can be used to launch attacks that gain access to the internal system, steal credentials, plant malware, or collect sensitive data. But, as breach after well-publicized breach demonstrates, our development procedures for building cybersecurity into goods and services continue to fail. We have not yet arrived at a position where security is not only expected but deeply ingrained in all aspects of product creation.
Analyzing some research is possible to verify cybersecurity is rarely considered among the criteria in the early design phase. Most designers focus on making sure their offerings are elegant, marketable, usable, and feature rich. Security is often “bolted on” after initial designs are completed, either by security development processes running parallel to the product development process or by security experts who work as consultants to the design team. This approach can add costs since it usually involves redesigning a product or retrofitting new features — and if a problem cannot be fixed, a design may have to be scrapped entirely.
If your executive team is not talking regularly about how to build secure digital offerings and you are not testing your processes often, most likely your products have hidden vulnerabilities. The number of discovered vulnerabilities within the United States National Vulnerability Database increases yearly; 18,356 new vulnerabilities were reported in 2020 alone, and it is likely that significantly more went unreported.
Business leaders must discover ways to influence designers’ attitudes about including security into the original design. This is accomplished by executives thinking about security themselves, discussing it with their teams, and making it a key aspect in the product’s design. Managerial processes like these are responsible for changing designers’ values, attitudes, and beliefs and encouraging actions that result in more secure initial designs.
Cybersecurity Gets No Respect Until It’s Too Late
Few leaders will deny the importance of cybersecurity for digital offerings. However, in practice, product teams tend not to prioritize cybersecurity. Our study revealed three reasons why this happens.
First and foremost, cybersecurity does not directly contribute to income. Most buyers base their purchasing choice on features that enhance value, cut expenses, or give other benefits. People approach cybersecurity as if it were a tire on a car: they expect it to be present, but they buy the product for its other benefits. Product managers are aware of this. One organization informed us that the security of its providing is significantly less essential than other aspects since it doesn’t matter how safe the product is if it doesn’t suit the demands of the consumers.
Second, cybersecurity as it is now practiced has the potential to delay time to market. It frequently necessitates the use of additional resources, such as expertise or specialized training, and it might take additional time to undertake further testing and rework when vulnerabilities are discovered. Customers, product managers assume, will locate alternatives or replacements if their product misses the window of market opportunity. If this occurs, the product’s cybersecurity features would fast become obsolete.
Lastly, designers and managers frequently underestimate the severity of cyber-security vulnerabilities – at least until a security event occurs. One management rationalized lowering the importance of security concerns by claiming that the company’s product was not tied to anything important in customers’ systems, thus a breach would cause little harm. When managers learn about a cybersecurity problem, they begin to question if their products are vulnerable as well. Nevertheless, by then, it may be too late, and the offering may already be in the hands of clients.
Design Processes for Cybersecurity Must Change
1. Bolting on security fixes. Some development teams do not specifically consider cybersecurity until a vulnerability is uncovered through testing after the design is complete. They then bolt on cybersecurity as needed. The most common types of testing where cybersecurity issues were uncovered were vulnerability testing, penetration testing, and quality-control testing.
When a vulnerability is discovered in this situation, it is returned to the design team to be corrected. In certain circumstances, this may entail costly redesigns or the use of other but more secure components. In this study, managers whose businesses employed this technique had a variety of reasons for doing so. In most cases, leadership believed that designers should concentrate on design and that cybersecurity concerns could be dealt with when they arose.
2. Incorporating secure development life-cycle processes. Parallel processes of reviewing design and injecting security tests and considerations — the security checkpoints or gates — into the design and subsequent development processes. The organization that uses this approach has a series of checkpoints where cybersecurity was tested. The product design process continues unless the design fails to pass through one of these gates, at which time the team will consider how to address the vulnerability. Again, this can be pricey, but it is far less expensive than waiting until the end of the process to determine if security measures are required. When there are parallel processes, designers can take particular efforts to guarantee that the design and prototypes have the appropriate security built in. There is still the possibility of having to discard an early-stage concept and start from scratch. Detecting the vulnerability sooner in the design phase, on the other hand, is less expensive than discovering it after the design has already been finalized.
3. Embedding security consultants. A third approach is to inject security experts directly into the design team to work with designers. In some of the teams that were studied, one member was designated to focus on cybersecurity. That person’s role was to ask important questions to make sure designers factored security into their work. While this approach does bring security design into the process earlier than the other two approaches, it does have flaws. In the teams we studied, this expert was a shared resource among multiple design teams. Someone in such a role may not be fully up to speed on the current design, requiring extra work to fill in the missing pieces. And since the expert is assigned to multiple teams, they may not always be available when needed, causing delays in the process.
Design Integrated with Cybersecurity
The answer, then, is for designers themselves to have enough knowledge of security needs to build in cybersecurity from the start. They will need both a general understanding of secure design principles and specific knowledge about the security considerations for the offerings they are creating. They must also believe that it’s important to include security starting at idea conception and that it’s their job to ensure that this is done. When those conditions are met, cybersecurity becomes one of the basic design criteria, similar to manufacturability, usability, quality, cost, and the many other elements that are part of any design process.
In most companies, designers with security backgrounds reported that they made decisions on tools, libraries, and components to use in their product designs based in part on how secure they were. Such teams design for cybersecurity as naturally as they do for other criteria.
Executives and managers nowadays want increasingly to see cybersecurity built into product design from the beginning. To accomplish that, the first step they must take is to genuinely prioritize cybersecurity as a major design criterion. If leaders do not show that they value cybersecurity by talking about it and prioritizing it in their resource allocation decisions, they send a clear, if subliminal, message that it is not really important. Leaders also need to educate themselves about how cybersecurity is being incorporated into their organization’s offerings.