Design for Cybersecurity From the Start

Everyone understands how important security is to digital products and services. Customers expect digital offerings to be secure, especially when they’re incorporating them into their own products and services. For example, a manufacturer that includes a sensor in its product design expects the sensor it uses to be cybersecure and not introduce vulnerabilities. Any device connected to the internet can create an entry point for attacks that access the internal system, steal credentials, plant malware, or collect sensitive data. But as breach after well-publicized breach shows, our development processes to build cybersecurity into products and services continue to break down. We have not yet reached the point where security is not only expected but deeply embedded in every aspect of product development.

To build truly secure digital products and services (which we’ll refer to as either “products” or “offerings” for simplicity’s sake), cybersecurity must be baked in from the initial design stage. While this isn’t easy, doing so can keep costs in check and help organizations better meet customer expectations. However, too often security is an afterthought, addressed only after a product has already been designed.

In our research into how companies build cybersecure offerings, we found that cybersecurity is rarely considered among the criteria in the early design phase. Most designers focus on making sure their offerings are elegant, marketable, usable, and feature-rich. Security is often “bolted on” after initial designs are completed, either by security development processes running parallel to the product development process or by security experts who work as consultants to the design team. This approach can add costs, since it usually involves redesigning a product or retrofitting new features — and if a problem cannot be fixed, a design may have to be scrapped entirely.

If your executive team is not talking regularly about how to build secure digital offerings and you are not testing your processes often, most likely your products have hidden vulnerabilities. The number of discovered vulnerabilities within the United States’ National Vulnerability Database increases yearly; 18,356 new vulnerabilities were reported in 2020 alone, and it is likely that significantly more went unreported.1

Company leaders must find ways to change designers’ attitudes about building in security from the initial design, and that is done when leaders think about security themselves, talk about it with their teams, and make it an important factor in the product’s design. Managerial mechanisms like these are what change the values, attitudes, and beliefs of designers and encourage behaviors that result in more secure initial designs.

Working closely with three large, well-known global companies in telecommunications, industrial controls and digital automation, and energy, we gained insights into why cybersecurity is rarely baked into new digital offerings — and identified actions executives can take to change that. As part of their digital transformations, the companies we studied are including digital capabilities in new devices such as those that manage networks; control heating, ventilating, and air conditioning; or monitor energy consumption.

Cybersecurity Gets No Respect Until It’s Too Late

Few leaders will deny the importance of cybersecurity for digital offerings. However, in practice, product teams tend not to prioritize cybersecurity. Our study revealed three reasons why this happens.

First, cybersecurity doesn’t directly contribute to revenue. Most customers make a purchase decision on the basis of features that add value, reduce costs, or provide other advantages they seek. They treat cybersecurity like tires on a car: They expect it to be there, but they are buying the product for its other features. Product managers understand this. In one company, we were told that the security of its offering is much less important than other features, because it really doesn’t matter how secure the product is if it doesn’t meet customers’ needs.

Second, cybersecurity as it’s done today can potentially delay time to market. It often requires additional resources, such as experts or specialized training, and it can take extra time to perform additional testing and rework when vulnerabilities are found. Product managers believe that if their product misses the window of market opportunity, customers will find alternatives or substitutes. If that happens, the product’s cybersecurity features quickly become irrelevant.

Finally, designers and managers typically underestimate how severe the consequences of cyber-security vulnerabilities can be — at least until a security incident affects them. One manager justified giving security considerations a lower priority by saying that the company’s product was not connected to anything significant in customers’ systems, so a breach was not going to do much damage. When managers learn about a cybersecurity incident, they begin to wonder whether their products may have the same vulnerability. But by then, it could be too late, and the offering might already be in customers’ hands.

While managers debate the merits of spending resources and time on cybersecurity, customer attitudes toward cybersecurity for digital offerings are changing. Increasingly, cybersecurity is becoming a de facto requirement and thus a key selling point. A cybersecurity vulnerability can shut down a company’s operations (as in the May 2021 ransomware attack on Colonial Pipeline in the U.S.), cascading costs through the whole ecosystem. It can damage brands, negatively affect stock price, or create legal exposure for the manufacturer that designed the offering.2

Design Processes for Cybersecurity Must Change

The organizations we studied were approaching cybersecurity in the following three ways that we believe are fairly typical.

1. Bolting on security fixes. Some development teams do not specifically consider cybersecurity until a vulnerability is uncovered through testing after the design is complete. They then bolt on cybersecurity as needed. The most common types of testing where cybersecurity issues were uncovered were vulnerability testing, penetration testing, and quality-control testing.

In this scenario, when a vulnerability is uncovered, it is sent back to the design team to be fixed. In some cases, that might mean undergoing costly redesigns or finding different but more secure components. In our research, managers whose organizations used this approach had many excuses for why it was done that way. In most cases, leadership felt that designers should focus on design and that cybersecurity could be handled when any issues came up. In one case, a designer told us that a product got all the way to the final check for delivery to a customer before cybersecurity concerns were raised, and in more than one case, a product could not be redesigned easily to fix the vulnerability. That meant either canceling the product delivery or sending it back to the initial design phase and starting over. Both are very costly options.

2. Incorporating secure development life-cycle processes. Another approach we observed was parallel processes of reviewing design and injecting security tests and considerations — the security checkpoints or gates — into the design and subsequent development processes. The organization that used this approach had a series of checkpoints where cybersecurity was tested. The product design process continued unless the design failed to make it past one of these gates, and at that point the team discussed how to fix the vulnerability. Again, this can be costly, but it’s much less costly than waiting until the end of the process to see whether security features need to be bolted on. When there are parallel processes, there are specific steps the designers can take to ensure that the design and prototypes have the right security built in. There is still the risk of having to scrap an early-stage design and start over. However, catching the vulnerability at an earlier stage in the design process is less costly than finding it after the design has already been completed.

3. Embedding security consultants. A third approach is to inject security experts directly into the design team to work with designers. In some of the teams we studied, one member was designated to focus on cybersecurity. That person’s role was to ask important questions to make sure designers factored security into their work. While this approach does bring security design into the process earlier than the other two approaches, it does have flaws. In the teams we studied, this expert was a shared resource among multiple design teams. Someone in such a role may not be fully up to speed on the current design, requiring extra work to fill in the missing pieces. And since the expert is assigned to multiple teams, they may not always be available when needed, causing delays in the process. One designer told us that his team’s consultant — a security expert but not a product designer — did not understand the product at the level necessary to offer helpful design advice.

Design With Cybersecurity Baked In

The answer, then, is for designers themselves to have enough knowledge of security needs to build in cybersecurity from the start. They will need both a general understanding of secure design principles and specific knowledge about the security considerations for the offerings they are creating. They must also believe that it’s important to include security starting at idea conception and that it’s their job to ensure that this is done. When those conditions are met, cybersecurity becomes one of the basic design criteria, similar to manufacturability, usability, quality, cost, and the many other elements that are part of any design process.

In the companies we studied, designers with security backgrounds reported that they made decisions on tools, libraries, and components to use in their product designs based in part on how secure they were. Such teams design for cybersecurity as naturally as they do for other criteria. In one case, a team chose not to use an open-source library because of its known vulnerabilities.

Executives and managers told us that they increasingly want to see cybersecurity built into product design from the beginning. To accomplish that, the first step they must take is to genuinely prioritize cybersecurity as a major design criterion. If leaders do not show that they value cybersecurity by talking about it and prioritizing it in their resource allocation decisions, they send a clear, if subliminal, message that it is not really important. Leaders also need to educate themselves about how cybersecurity is being incorporated into their organization’s offerings. If it is by one of the three approaches we saw in our research, they must allocate resources to change the process and show designers what behaviors are expected of them. In one company, a designer said that his managers did not follow through on their stated priority; executives talked about cybersecurity in customer meetings but then did not invest in it. This made the team question whether it was really a priority.

The difference was noticeable at companies where executives did follow through. “Everyone has a real cybersecurity mentality,” said a developer from one such company. “It’s ingrained in the culture at the highest levels of our organization from day one. It’s everywhere in everything you do around here.”

It can be a slow process to turn a large design shop into a secure design shop. One designer explained that “it can take three years to get very good at cybersecurity implementation and very familiar with what needs to be done.” But that only suggests that leaders must be consistent and persevere in prioritizing this objective.

Change Designers’ Values, Attitudes, and Beliefs About Security

Company leaders can tell their design teams that they want them to build for cybersecurity, but that will not happen unless additional managerial mechanisms are put in place to change the values, attitudes, and beliefs of the designers. Our model of building a culture of cybersecurity provides four steps that leaders can take to change the behaviors of their development teams and move them toward a mindset of designing for cybersecurity.3 We saw examples of these mechanisms in the teams that did bake cybersecurity into their offerings.

1. Tie performance appraisals to cybersecurity. Development teams are typically rewarded for elegant product designs and speed to market rather than for secure designs, and this sends the clear message that security is not the priority. One manager commented that designers equated their performance with getting products shipped quickly rather than getting better products shipped later, even if it meant having a product returned for rework due to a vulnerability discovered after the offering was received.

To drive a change in the attitudes of designers, security metrics must be visible to leaders. However, our research showed that the most neglected technique for encouraging desired cybersecurity behaviors was the formal evaluation process. Criteria such as including security design components and security controls, creating designs that pass testing gates, and collaborating with security experts to ensure that offerings are as secure as possible from the early design phase should be part of individuals’ performance evaluations.

More important, leaders must be ready to delay or reject the release of digital offerings with insufficient cybersecurity built in and hold the development team accountable. This will make it clear that there are consequences for insufficient security.

2. Make heroes out of designers who engage in positive cybersecurity behaviors. Recognition can be a big motivator for employees, and, as with conducting performance appraisals, leaders often fail to call out the accomplishments of those who find and fix cybersecurity issues. This sends a very clear but unintended message about what is valued in the organization.

There are numerous ways to reward and recognize employees who take cybersecurity seriously. For example, one manager we interviewed gave bonuses to designers who solved a complex security problem or drove a process that baked cybersecurity into the company’s offerings. At an annual security conference, the same company formally recognized team members who were strong advocates of and contributors to the security of its offerings. Another company used membership invitations to a social network of corporate experts as a way to highlight its cybersecurity heroes. Recognition of security effectiveness can take the form of something as simple as providing a “cybersecurity champion” badge that an employee can add to their email signature. Rewards and recognition can be as easy as adding a virtual badge to an email signature. By doing so, leaders send a clear message that they value cybersecurity behaviors and publicly acknowledge them.

3. Train designers on security in addition to using experts and safety nets. Designers told us they were not focused on the cybersecurity of their designs because others in the organization knew more than they did and would catch any issues later in the development process. This is not an attitude companies should encourage. Designers need basic training on how to design for cybersecurity and should be reminded that it is their responsibility. Agile development processes must also include stories based on cybersecurity requirements. This both highlights the need for secure offerings and provides a platform for assessing whether cybersecurity was built in from the beginning. Safety nets, testing activities, and experts in secure development life-cycle processes are still needed to supplement the initial security designs, but designers must have enough knowledge to do the first pass. (See “What Product Designers Should Know About Security.”)

4. Deliver strong and frequent messages to increase awareness of cybersecurity needs. Designers may not realize it’s their job to develop elegant, cost-effective, secure offerings. This might sound counterintuitive to managers who believe they have communicated this priority. But our research shows that the security message can get lost in the complexity of product design and the many messages designers hear. Leaders need to build a communication plan to consistently reinforce the importance of creating cybersecure offerings. This can include facilitating short discussions or presentations at team or organization meetings, launching funny and engaging campaigns to make the message memorable, or even using traditional marketing techniques to change hearts and minds. The key action here is to continually remind everyone involved in the product development process how important cybersecurity is so that they internalize that belief and align their personal attitudes with the need to develop secure offerings. One leader to whom we suggested this action commented that he had never thought to voice the importance of cybersecurity in product design because he assumed his team already knew it. Upon reflection, he realized that he could not overcommunicate this message.

Digital products are creating new revenue streams for many companies, but every digital product carries the risk of creating new cybersecurity vulnerabilities that must be addressed. Including “design for cybersecurity” as a key design criterion at the beginning of the process will begin to address this issue by reminding designers of the value and importance of secure offerings. Demonstrating that your brand delivers secure products is increasingly important and may even confer a new competitive advantage.

Building in cybersecurity earlier in the design process makes the whole product development process more effective. It avoids the additional work, increased costs, and delays caused by last-minute reviews or testing while making it less likely that cybersecurity issues will arise later down the road. And that should make company leaders — and their customers — sleep more soundly at night.