Security Is Not a Feature – And It’s Not Optional Either

Let’s face it, there’s a major flaw in the way businesses approach cybersecurity. It’s not uncommon for development teams to prioritize speed over security functions like encryption and authentication. 

After all, new features bring customers in, while security is often seen as an expensive investment that generates very little ROI—one that also slows down the process.

So, how did we get here? The problem lies in how businesses view cybersecurity. Rather than viewing it as a core piece of business operations, they treat it as just another feature, one that is not prioritized. They are functionally attempting to close their eyes when faced with danger. 

When they don’t get the results they expected, they dismiss it as a sunk cost. 

In this article, we’re going to make the case for why more companies should see security as an essential building block to all business applications.

Security Is Not a Feature

How Did We Get Here? The Popular Culture Problem

Popular culture has played a significant role in this flawed perception. Cybersecurity in the world of film and media has an immediate payoff like when watching movies, such as Mission Impossible or the Bourne Identity, Often “cyber” is the lead character in the thriller. 

Cybersecurity in the real world does not follow that pattern — for the inexperienced, It appears on the surface to be little more than a money pit. 

The first step, then, is a shift in perception. Leadership must understand that by the time one can tangibly measure the value of a security solution, it’s already too late. To begin, we’re going to suggest something unorthodox.

Watching Mr. Robot.  While it may appear fantastical at first glance, the scientific and technical details behind that show’s hacks are both accurate and sound. Consider the following examples from the show, courtesy of Rolling Stone and Dark Reading

  • The use of a Raspberry Pi to hack a smart thermostat, taking control of a data center’s climate control system in order to gain access. 
  • Cloning a key fob with a 315 mHZ remote control scanner, using that to unlock a vehicle, then taking full control of the vehicle through its CAN-bus port. 
  • Copying an ID badge to gain access to a secure facility simply by walking in close proximity to an employee. 
  • Using the Wi-Fi connection at a cafe to steal the passwords of everyone using it, and also gain access to their computers. 

Each of these hacks is plausible. Each can happen in the real world. And each clearly demonstrates the cost one pays for ignoring cybersecurity, and the reason why it should be part of your risk management strategy from day one. 

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

A Troubling Road Ahead

As we bring more and more of our systems and data online, things are going to get worse before they get better. Just look at what happened as a direct result of the pandemic. Digital transformation leapt forward by ten years in just three months, accompanied by a 600% increase in cybercrime and nearly $1 trillion in global losses for 2020 alone.  

Attacks did not solely increase in volume over the course of 2020, either. The year also played host to some of the most severe cyber incidents and data breaches in history. Of these, the worst, arguably, was Solarwinds

A major American information technology firm serving some of the nation’s largest corporate and public sector clients, the company was targeted by a sophisticated, likely state-sponsored hack. By infecting the company’s update server, Orion, with malware, the black hats responsible for the attack were able to then use poisoned updates to gain a backdoor into the IT systems of approximately 18,000 companies. 

Although the attack itself was incredibly sophisticated, it turns out the hackers needn’t have bothered putting so much effort in. The update server — which again, is responsible for sending updates to agencies like the United States Department of Treasury  — was protected by the password solarwinds123. Although the company’s CEO would later blame an intern for the issue, he offered no explanation of why the company also ignored a warning given to it by a security researcher in 2019. 

At this point, you might be tempted to condemn Solarwinds for taking such a lax approach to protecting such a critical system. And while the firm has certainly faced the consequences of its inaction, what happened here is hardly unique. The reality is that Solarwinds is not unique — even now, a year and a half into one of the largest digital transformation booms the world has ever experienced, many businesses still view cybersecurity as an afterthought at best.

Consider the Microsoft Exchange Server hack earlier this year. To date, it has compromised an estimated 30,000 to 60,000 organizations, making it one of the largest commercial hacks in history. It was also completely avoidable. Speaking to security expert Brian Krebs, Microsoft acknowledged that it was made aware of the four zero day bugs at the beginning January

As you may recall, the attack took place in March. Microsoft had nearly two months in which it could have patched the exploits. It isn’t as though they were difficult to address, either. The company released a hotfix just days after news of the hack first broke. 

It should be clear by now that even in highly-sensitive industries and sectors, businesses are not prioritizing application and data security as they should. Instead, when weighing the balance between security and usability, they inevitably choose the latter. And why shouldn’t they? 

You cannot expect a business to put a premium on security when its customer base simply doesn’t care. 

A Problematic Mismatch

Nearly everyone claims to want privacy. Nearly everyone says they care about keeping their data safe and ensuring they are not the victims of malware, or worse, identity theft. Yet words fail to match actions.

We lament the death of privacy in conversation, yet are perfectly willing to give up personally-identifiable details for 5% off our grocery bill.  We express our concern about the cybersecurity nightmare that is the Internet of Things, all the while gleefully installing as many unsecured smart devices in our homes as we can. We claim we don’t want our accounts to be compromised, yet reuse passwords across multiple accounts without even bothering to use two-factor authentication

In other words, no matter how important we say we think security is, we more often than not care more about new features, better performance, and lower cost. Is it any wonder that businesses do the same? Any shock that they buy software solutions for features alone, even if those solutions fail to measure up in a software security audit? 

Together, we have created a world in which features and performance generate revenue and security creates costs. Why should an organization focus on risk prevention? The revenue increase from better features is often more than enough to cover any lawsuits and fines it might encounter in the wake of a data breach. 

What’s more, many businesses still labor under the mistaken perception of security risks as hypothetical — as something that happens to other businesses, and not their own. 

Some Sacrifices Shouldn’t Be Made

The issue here is about more than measuring cost against revenue. Security and usability have long been diametrically opposed in enterprise software. The common perception is that the more secure you make your software, the more difficult it is to use. 

It’s a perception that needs to die. There is no longer any justification for throwing security aside in the interest of availability, and vice-versa. Provided a business develops its applications from the ground-up with a focus on security (and exclusively pursues vendors with the same approach), the two can operate more as twins than as rivals.

As for what that involves, there are a few factors to keep in mind. 

  • Complexity is the enemy. Software must be as simple to use, manage, and deploy as possible. Thankfully, cloud apps are generally a step in the right direction where this is concerned.
  • Control access permissions. Each employee should only be able to access the resources, systems, and data that they absolutely need in order to do their job effectively. 
  • Regularly test your features and controls. Many businesses view cybersecurity as a single project. The truth is that it’s an ongoing process, one which requires regular audits and evaluations. We’ll talk a bit more about how to implement an effective security audit below. 
  • Work with users rather than against them. If user feedback on a particular security control is overwhelmingly negative, it is your responsibility to find a way to address that. 

This is not something you can simply ignore. If your security controls are too draconian or cumbersome they will paradoxically lead to reduced security as your users look for workarounds.  And if you don’t bother with security at all, you’ve only yourself to blame when your data falls into the wrong hands. 

If this is all starting to sound overwhelming to you, you certainly aren’t alone. But we aren’t done yet. We need to address the other elephant in the room.

Compliance. 

Contending With An Increasingly Complex Regulatory Climate

Governments and regulatory bodies are keenly aware of how businesses currently treat security obligations. In response, they’re mandating increasingly-complicated standards and regulatory requirements. As a result, even businesses that take security seriously are being exposed to regulatory risk atop cybersecurity risk. 

The European Union’s General Data Protection Regulation is a prime example, not in the least because its fines are steep enough to impact the bottom line of even the largest organization. Other regions and governments have begun to follow the EU’s lead. California is one particularly pronounced example, having passed both the California Privacy Rights Act (CPRA) and California Consumer Privacy Act (CCPA). Beyond that, another 20 states are currently legislating privacy laws, demonstrating how important security really is.

This is in addition to already-existing standards, such as PCI/DSS, SOC 2, and ISO27001, as well. The end result is a nightmarish hodgepodge of acronyms, regulatory requirements, and fines. Because although security risk may be hypothetical, compliance risk is both real and concrete. 

On the one hand, this isn’t a bad thing. In many areas of the world, regulatory bodies have been largely toothless where enforcement of security regulations is concerned. Attaching real, tangible consequences to non-compliance is an excellent way to encourage businesses to step up their security posture.

On the other hand, this newly-pronounced focus on compliance is pushing requirements onto not just the businesses that are subject to regulations, but also their vendors and suppliers. The end result is that more small and medium businesses than ever are now required to do security and privacy audits. And while there’s no excuse for a failure to audit by a larger organization, these smaller operations often lack the in-house expertise, not to mention capital. 

Even so, these audits are necessary, and should be considered part of the cost of doing business. Because though they may seem like a nuisance, they achieve more than checking compliance. They also help an organization identify the actual risks it faces, ultimately guiding it in regards to where it should focus in improving its security posture and helping reduce both hypothetical security threats and the tangible risk of noncompliance.

The Anatomy of An Effective Application Security Audit

Establishing a mature security risk program requires a careful evaluation. For most companies, that means performing a thorough security audit on your apps, both what you use internally and externally. The idea here is to go over everything with a fine-toothed comb, including, but not limited to: 

  • Multifactor authentication 
  • API/function calls
  • Session management (timeouts, concurrent sessions, etc.) 
  • Verification
  • Security architecture
  • User management/privileges
  • Source code
  • Encryption
  • Active and potential vulnerabilities

The simplest, most effective way to achieve this is by leveraging a proven application security framework. That way, you’ll not only know where your areas of focus should be as a developer, you’ll also be able to quickly and effectively evaluate prospective application vendors prior to deployment. 

Centraleyes recently implemented OWASP ASVS 4.0 into our comprehensive risk management platform, which allows us to provide you with everything you need for not just better application security, but a better security posture as a whole.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Related Content

ESG Reporting Frameworks: Manage Your ESG Compliance Process

ESG Reporting Frameworks: Manage Your ESG Compliance Process

What is the ESG reporting framework? ESG stands for Environmental, Social and Governance. It’s become a…
What Is NIST Zero Trust Architecture & How to Achieve It

What Is NIST Zero Trust Architecture & How to Achieve It

Modern enterprise networks and infrastructures are complex. Working with several different networks, cloud services, and remote…
7 Security Challenges Most SaaS Business Comes Across

7 Security Challenges Most SaaS Business Comes Across

Placing data on the cloud always sounds like a great idea – many big companies are…