Gone are the days of the cloud and touchscreens being the top technology solutions within your organization. The velocity at which we’re experiencing technology advancements is faster than ever before, causing industries and employees to have to evolve and adapt at a record pace.
In a recent PwC CEO Survey, 90% of CEOs said they think technology will change competition in their industry over the next five years. While these new technologies, such as the Internet of Things (IoT) and cloud computing, are creating positive change, they can bring issues.
Without proper security protocols, technology advances can expose companies, their employees, and their customers to more loopholes for hackers. Technology issues are top of mind for tech CEOs, who are working with their teams to address cybersecurity breaches that affect business information or critical systems (70%) and breaches in data privacy and ethics (67%).
The cost implications of cyberattacks are astronomical and can be detrimental to both business financials and consumer trust. In an age when news can be shared instantly, organizations are aiming to stay out of the news.
These days, security must be the bedrock throughout the organization and product development lifecycle, and the protection of all data systems must be ingrained in the culture. Therefore, security should be layered throughout the product development lifecycle and natively built into it from the beginning, not merely sprinkled on at the end.
Here are four tips on how to shift security to the product development lifecycle.
1. Start from the beginning … and keep going
Before you start developing a product, ask yourself, “What security measures can I create that are inherently part of the product itself?” and, “How do I evolve the level of security protocols throughout the product lifecycle?”
Having a security strategy is the primary step. To do so, enable a multi-layered security ecosystem with a rigorous review process that includes code review, internal scanning, third-party penetration testing and other steps that create a holistic approach. Within that strategy, have a plan B and plan C for any potential risks found, with step-by-step instructions on the who, what, when, where, why, and how for all staff who might encounter the issue. Again, the protection of consumer data must be ingrained in the company culture, which means every employee plays a part.
My team is led by a white-hat hacker that is continually attempting to circumvent our security checks. The team is involved in product development from the beginning and carries on through the end, ensuring that security is at the root of all we develop. Hiring professional hackers can help poke holes in your product development lifecycle and ultimately build a more secure product to protect your consumer data.
2. Quality is part of the journey … not just the destination
It’s a no-brainer that quality should be a priority when providing any product or service to your customers. Processes should be in place throughout the organization to ensure that the highest level of quality is met when developing a product. As with layering in security throughout the product development lifecycle, quality checks must be layered in as well.
Consider developing a process or committee that oversees quality throughout the development phase. My team implemented a quality assurance process to improve and stabilize processes. We use the acronym DMAIC (define, measure, analyze, improve, and control) to guide our product development. The process includes frequent code reviews with senior technical staff to ensure accuracy and development standards, as well as constant regression testing.
Focusing on quality assurance and identifying vulnerabilities throughout the development lifecycle helps streamline security efforts and reduces risk for your organization and its consumers.
3. Educate, educate, educate
Employees are responsible for 60% of all cybersecurity attacks, according to Harvard Business Review. Educating employees on security protocols, their role in security, and how it applies to their day-to-day job is crucial to ensure that the product they work on and the customers they serve remain secure.
Education can be done in a variety of ways. Whether it’s through webinars, all-hands meetings, or a mock phishing campaign, you need to reach your employees where they are to ensure engagement. As they say in sports, the best offense is a good defense—and that rings true in cybersecurity as well. By decreasing human error, your organization will reap benefits down the road.
While all employees may not work directly on product development, everyone needs to feel invested in and knowledgeable about their capabilities. Lifting the hood and sharing more details about products with your entire staff will make them more invested in not only selling the products but protecting the products as well.
For example, each week have your product development team share an update on products in development, including what each does and why it matters to each of them as an employee. This can help to engage and educate the entire staff on your products to achieve optimal security.
4. Design with the future in mind
Products should be designed with an agile approach for seamless scalability, so that error and security updates can be launched quickly. With SaaS technology, scalability and product upgrades are much faster—and the same goes for security updates. Creating agile products allows your organization to prepare for future changes and easily scale regardless of user base or location.
Making strategic investments in IT infrastructure can save countless headaches and financial burdens when issues inevitably arrive. Take, for example, Hilton. The hospitality group invested $550 million in an IT infrastructure overhaul of its property-management system to allow it to roll out digital features at scale.
With a big investment up front, Hilton is looking toward the future to provide its stakeholders technology that benefits them every day, so that when an issue arises, they are already prepared. Your organization needs to look around corners for what issues may arise down the road and prepare for them today.
Bringing security into the fold
From product inception to sunset, security must be considered through every phase of the development lifecycle. All employees have a role in cybersecurity and, just as with customer safety and satisfaction, it must be ingrained in the company culture for best results.
With the right procedures and failsafes in place during product development, you’ll have the ability to better protect your organization, your employees, and your customers.
Tom Pohl, VP of IT Systems at Businessolver, contributed to this post.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.