Design for Cybersecurity From the Start

To avoid hidden vulnerabilities, security must be baked into the development process, not bolted on.

Reading Time: 15 min 


Permissions and PDF

Image courtesy of Chris Gash/

Everyone understands how important security is to digital products and services. Customers expect digital offerings to be secure, especially when they’re incorporating them into their own products and services. For example, a manufacturer that includes a sensor in its product design expects the sensor it uses to be cybersecure and not introduce vulnerabilities. Any device connected to the internet can create an entry point for attacks that access the internal system, steal credentials, plant malware, or collect sensitive data. But as breach after well-publicized breach shows, our development processes to build cybersecurity into products and services continue to break down. We have not yet reached the point where security is not only expected but deeply embedded in every aspect of product development.

To build truly secure digital products and services (which we’ll refer to as either “products” or “offerings” for simplicity’s sake), cybersecurity must be baked in from the initial design stage. While this isn’t easy, doing so can keep costs in check and help organizations better meet customer expectations. However, too often security is an afterthought, addressed only after a product has already been designed.

In our research into how companies build cybersecure offerings, we found that cybersecurity is rarely considered among the criteria in the early design phase. Most designers focus on making sure their offerings are elegant, marketable, usable, and feature-rich. Security is often “bolted on” after initial designs are completed, either by security development processes running parallel to the product development process or by security experts who work as consultants to the design team.



1. The National Vulnerability Database is part of the National Institute of Standards and Technology Information Technology Laboratory.

2. K. Huang and S. Madnick, “A Cyberattack Doesn’t Have to Sink Your Stock Price,” Harvard Business Review, Aug. 14, 2020,

3. For a complete description of the Huang and Pearlson cybersecurity culture model, see K. Huang and K. Pearlson, “For What Technology Can’t Fix: Building a Model of Organizational Cybersecurity Culture,” PDF File in “Proceedings of the 52nd Hawaii International Conference on System Sciences” (Honolulu: University of Hawaii, 2019), 6398-6407.


The authors wish to thank Abigail Kolyer, MIT research assistant, and George Wrenn II, adviser, for their assistance with this research. Thank you also to the numerous product development professionals who generously gave their time to be interviewed as part of this project, and to the leaders of the companies who supported this work through access to their development teams. Funding for this project was provided by CAMS. The authors contributed equally to this work and are co-corresponding authors.

Reprint #:


More Like This

Add a comment

You must to post a comment.

First time here? Sign up for a free account: Comment on articles and get access to many more articles.

Comment (1)
Mukesh Mallian
Great article and every C-Suite Exec should be concerned when cybersecurity is an after thought.