Businesses can increase data protection and decrease costs by baking in information security from the start of any IT project, says Jon McCoy, founder of application security firm DigitalBodyGuard.
“Security needs to start when businesses set the goals and plan the day-to-day workflow a new IT system will accomplish,” he told Computer Weekly.
McCoy, a .Net software engineer, would like to see executives consider information security even earlier when they plan the business direction, products and infrastructure.
“A dollar spent on the planning stage can be worth ten, a hundred or even a thousand times that post deployment, which is a good business reason for investing in security early,” he said.
Time to market is often cited as a reason security is overlooked or added only later, but McCoy points out that developing something securely from the start rarely takes any longer.
“It is usually nice to have longer for testing, but a secure infrastructure can be developed for the same cost in the same time as an insecure infrastructure,” he said.
According to McCoy, small, seemingly unimportant choices at key points in the design of an application, network or business process can have far-reaching effects on the security of the whole organisation.
A common example, he said, is to demand long, complicated, frequently-changing passwords, which can create other security issues more critical than those they are aimed at solving.
This approach to security can put users and security teams at odds and lead to users writing down passwords and finding workarounds.
“A better approach is to find a model that works for users in the real word, such as using a YubiKey device that automatically generates and rotates complex passwords for users,” said McCoy.
Security should be easy and transparent, he said, not frustrating for users by slowing them down in doing their work.
One of the most common security failures in organisations is that they try to solve each problem identified by security analysis tools, rather than looking for and solving the root causes, said McCoy.
Completely ignoring the reports generated by security analysis tools is equally problematic, he said.
On the other hand, companies that are doing security well typically conduct regular security reviews, include security at the planning stages of all IT projects, and do iterative security testing.
However, McCoy cautions against security leading organisations. “There are instances where I have seen this go very wrong because security does not have the market knowledge,” he said.
A secure infrastructure can be developed for the same cost in the same time as an insecure infrastructure
Jon McCoy, DigitalBodyGuard
McCoy said he has seen the most success where a senior executive is a proponent of security and introduces security to each of the business teams, appointing a security representative in each.
“Where security is introduced slowly in this way, it can change the culture of the organisation and stop being an external force to the point that all teams have an internal security skillset or concern,” he said.
Security training for developers
McCoy is to discuss such indicators or security success or failure and other key security issues in a free seminar on the security lifecycle at Level 39, London, on 17 October 2013.
The seminar is in collaboration with the New Developers Conference (NDC), which will hold its first .Net and agile development event in London from 4-6 December 2013 at the ExCel convention centre.
“A key takeaway for the seminar will be that introducing security as early as possible into the development lifecycle will deliver big returns,” said McCoy.
He believes that by reducing the gulf that exists between the security community and developers, businesses will reap rewards in terms of improved data protection.
“Training developers in basic security can have a huge impact because while security experts come and go, developers are the people who construct systems day to day and are always there,” he said.