The business value of security by design: a process not a product

My business focuses on tools and support in two areas: 1) embedding security & privacy from the design process all the way through to checking that the controls are in place in production; and 2) detecting when the controls haven’t worked by finding breaches. It’s a really difficult set of conversations to have with an organisation because it means changing the way they develop and operate rather than just bolting on some additional goodies…:

[…] In reality, implementing security by design requires a great deal of planning, and encompasses everybody within a business – from the development and security teams to the C-Suite. By ensuring there is a key focus on security in the development phase, a system is less likely be breached further down the line as a result of hackers gaining access through vulnerable access points.

Organisations also need to adopt an “always on” approach, which requires constantly monitoring for threats and testing security processes. To help security teams make sense of the information from tools that generate alerts, they also require curated threat data. All of this involves strategically selecting best-of-breed technologies that provide 24/7 monitoring and protection, along with regular scanning patches for vulnerabilities as and when they arise. More often than not, vendors specialising in cyber-security will be more efficient and cost-effective than developing home-grown tools.


Original article here