Security isn’t a product, you should just be doing it

I work for a service provider of public cloud services. Security is very important to us, in fact it’s the top of everything we do, in order to provide our clients with the confidence they need we have processes, compliance programs and controls in place to prevent a number of threat vectors.

Actually, regardless of your industry, cyber security has become for most organisations the number one concern about the integrity of their clients, their data and their business. For the small number of organisations where this is not the number one concern then that organisation is in trouble.

According to an article by The Best VPN, Ransomware attacks increased by 36% in 2017, 1 in every 131 emails contains malware and 43% of cyber attacks are targeted at small business. We can only speculate on the reasons for the latter statistic, you could say that smaller business are easier to compromise and don’t spend as much on cyber security as the biggest enterprises, but either way the information is interesting.

My point at this stage is that of the many people in the industry I speak to, both other providers and clients, I see a worrying trend of people monetising security solutions. In the spirit of most information security frameworks, security is for everyone and everyone has a responsibility to maintain a level of information security at their organisation.

Yes service providers will offer security services for a cost. That is a given. But solutions which are designed for implementation, whether this is for a client or your own internal organisation should have security at front of mind. A real focus and be engaging those in the business who understand security, understand risk and understand your governance and compliance requirements.

I could spend time sharing horror stories where security has not been discussed first and has had a real impact on an organisation. I had an instance on Monday this week actually where security was an afterthought in many ways, what was deployed was simply inadequate from a security perspective. However, while useful to share stories it does not achieve anything. The action is what matters, which is why I have my own little framework and steps to go through.

If anything, it’s less of a framework, more a way of working. It’s really quite simple, in that all you need to do is think of security before anything else. All employees in every organisation have a responsibility to maintain information security. No more so than as an IT Pro where we often have access to or can more easily expose without realising sensitive data. So here are some tips to get you thinking.

1. Engage your information security team as early as possible, trust me, doing this now rather than engaging them afterwards presenting a list of risks they have to work through will make your job much easier.
2. Listen to what they have to say. As security professionals, they offer a really valued opinion and view on the architecture of applications. Especially when it comes to compliance and regulatory requirements.
3. Include them in your testing plan, this includes penetration testing. For me, your information security team are a key relationship in your deployment.
4. Security over functionality, simply put that in my opinion, security should always come over functionality. If functionality will compromise security, then go back and think about that functionality, is it needed? Can we design it another way?

At this point, you now have security risks identified, hopefully, addressed or in progress at the very least. It’s now at this point you can go forward and start the application design. Armed with this information, it should now be fairly easy to incorporate all this feedback and information from the security team to ensure you are delivering a secure solution, this is known as security by design. For those working with data on European Union subjects, it’s also a key requirement of GDPR. It’s actually nothing new as well, previously called privacy by design, the only change under GDPR is that it is now a legal requirement.

So what is the message here? If I could summarise this article it would be this. Security first, design second, always think about security, never compromise security over functionality. Doing this will be at the detriment to your business, bad people are out on the Internet, their interest is to spread FUD (Fear, Uncertainty and Doubt) within your organisation and your clients. This will be entrenched in your clients. Fear that their data is at risk, uncertainty that you know what you are doing and doubt that you are the organisation to achieve their goals.