Corporate executives of all stripes know that cybersecurity is, quite frankly, a mess: too many security weaknesses spread across too much of your business, especially among the third parties that have become an integral part of the modern corporate enterprise.
Internal audit and cybersecurity teams spend too much time chasing down those weaknesses and fixing them. Compliance and legal teams spend too much time dealing with investigations when a weakness turns into a security breach. Sales teams spend too much time filling out endless risk assessment questionnaires from would-be customers. Above all is the board, spending too much time worrying about security while the situation gets more complicated year after year.
Corporations desperately need a better, more strategic approach to cybersecurity.
Well, one way forward is security by design — a way to move beyond patchwork defenses, meet regulatory expectations, and create lasting trust with customers and partners, all at the same time.
In this post let’s unpack what security by design is and why it makes sense as a business strategy; how GRC teams can support your organizations in implementing security by design; and the challenges you’ll need to anticipate (and overcome) along the way.
What ‘Security by Design’ Really Is
Security by design is more a concept than a regulation. While guidance about the idea abounds, there is no precise checklist that businesses can follow to say they are “doing” security by design.
Instead, it’s more accurate to say security by design is a reflection of your organization’s priorities, where security is fundamental to product development, strategic planning, audit planning, risk assessment, personnel incentives, and more.
This means that every organization will need to develop security by design practices in its own way — but in practice, we can identify three universal principles:
- Stronger security practices in product development, such as policies for using open-source software, robust testing of hardware products, and incentive compensation plans that encourage secure product development rather than fast delivery.
- Transparency with customers and business partners, both about how to use your products securely and about known vulnerabilities they should fix.
- Ongoing support through the product lifecycle, such as software updates and plans to sunset legacy systems at the end of their lifecycles.
Taken together, these principles lay the groundwork for regulatory compliance, operational efficiency, and long-term resilience.
Why Go Down This Road?
Plenty of risk professionals will look at security by design and mutter, “Great, another buzzword. Just what we need.”
That’s fair. Transforming your approach to security, risk management, and product development is a big deal; management will want to see a clear business advantage to doing so. So let’s articulate those reasons.
Regulatory momentum. Few regulations expressly say, “Thou shall use security by design” — but SOX, the EU AI Act, the New York Cybersecurity Rule, HIPAA, GDPR, and state-level AI laws impose lots of other duties related to strong security and access control. Embracing security by design within the internal control environment helps organizations meet these obligations more quickly and easily.
Operational efficiency. Security by design can streamline the audits, testing, and compliance checks that slows product development and drives up internal costs.
Business value. For CISOs, IT leaders, and others who might purchase technology, security by design enhances the appeal of products and services because it reduces third-party cybersecurity risk.
In other words, security by design is both a better way to manage cybersecurity risk and to position your enterprise for resilient, long-term success in the global market. You can’t achieve the latter without mastering the former.
What You’ll Need to Do
Let’s assume you’ve sold management and operating teams on the benefits of security by design. What then? What are you, GRC leader, supposed to do?
To start, find a framework that supports security by design. Thankfully you have ample choices, including:
The next steps should sound familiar. Use the framework (or frameworks) to perform a gap analysis. Map existing controls to framework requirements. Rationalize your controls so the fewest number cover the widest range of risks. Document and test your work.
The challenge, however, is that you need to implement security by design controls across three interdependent dimensions:
- The teams developing software or hardware systems
- The products you make
- The customer groups you serve
CISOs will need to coordinate all that control activity — the design, the testing, the communication, and more — among multiple stakeholders both inside and outside your enterprise.
How to Get Started
The benefits of security by design are compelling, but making that transition is still a delicate project. CISOs and GRC leaders will need to anticipate several challenges as you get started.
First, make the business case for this shift. You’ll need to win over First Line operating teams (“better security will impress customers”), Second Line risk assurance teams (“smoother cybersecurity risk management”), and senior management (“we’ll be more resilient for long-term growth”).
Second, find the right tools. Most likely, you’ll need to juggle multiple frameworks, coordinate a large amount of planning and documentation activity across teams and time zones, and enable continuous testing and monitoring so you have evidence to impress auditors and regulators. That’s a lot. You’ll need trustworthy IT to do it.
Third, consider talent and change management demands. You’ll be asking a lot of people to do lots of things differently. As always, you’ll need the right people, processes, and technologies working in concert to embed security by design across the organization.
Read the full white paper on the Workiva blog
Access the complete framework and start leading your organization's shift from reactive defense to proactive resilience. Read More
About Matt Kelly
|
|
Matt Kelly is an independent compliance consultant specializing in corporate compliance, governance, and risk management. He shares insights on business issues on his blog, Radical Compliance, and is a frequent speaker on compliance, governance, and risk topics.
Kelly was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and named to Ethisphere's "Most Influential in Business Ethics" list in 2011 and 2013. He served as editor of Compliance Week from 2006 to 2015.
Based in Boston, Mass., Kelly can be contacted at mkelly@RadicalCompliance.com.
|
#SOXPro
#Cybersecurity
#Technology,Software,Vendors
#RiskManagement
#FrameworksandStandards