Design for Cybersecurity From the Start
To avoid hidden vulnerabilities, security must be baked into the development process, not bolted on.
Everyone understands how important security is to digital products and services. Customers expect digital offerings to be secure, especially when they’re incorporating them into their own products and services. For example, a manufacturer that includes a sensor in its product design expects the sensor it uses to be cybersecure and not introduce vulnerabilities. Any device connected to the internet can create an entry point for attacks that access the internal system, steal credentials, plant malware, or collect sensitive data. But as breach after well-publicized breach shows, our development processes to build cybersecurity into products and services continue to break down. We have not yet reached the point where security is not only expected but deeply embedded in every aspect of product development.
To build truly secure digital products and services (which we’ll refer to as either “products” or “offerings” for simplicity’s sake), cybersecurity must be baked in from the initial design stage. While this isn’t easy, doing so can keep costs in check and help organizations better meet customer expectations. However, too often security is an afterthought, addressed only after a product has already been designed.
Get Updates on Innovative Strategy
The latest insights on strategy and execution in the workplace, delivered to your inbox once a month.
Please enter a valid email address
Thank you for signing up
In our research into how companies build cybersecure offerings, we found that cybersecurity is rarely considered among the criteria in the early design phase. Most designers focus on making sure their offerings are elegant, marketable, usable, and feature-rich. Security is often “bolted on” after initial designs are completed, either by security development processes running parallel to the product development process or by security experts who work as consultants to the design team.
1. The National Vulnerability Database is part of the National Institute of Standards and Technology Information Technology Laboratory.
2. K. Huang and S. Madnick, “A Cyberattack Doesn’t Have to Sink Your Stock Price,” Harvard Business Review, Aug. 14, 2020, https://hbr.org.
3. For a complete description of the Huang and Pearlson cybersecurity culture model, see K. Huang and K. Pearlson, “For What Technology Can’t Fix: Building a Model of Organizational Cybersecurity Culture,” PDF File in “Proceedings of the 52nd Hawaii International Conference on System Sciences” (Honolulu: University of Hawaii, 2019), 6398-6407.