Time is not a luxury available in any business market. And while no business wants to—or can afford to—undervalue the importance of cybersecurity, it is sometimes overlooked in the push to host an online application or a some new feature for customers.
There was a time when security was only added on as an afterthought. Those days are (mostly) over, but even with security baked in early, there are two forces at work that make it tough to keep up:
- Technology is everywhere. There is virtually no part of our lives that doesn’t have some internet-based or app component to it.
- Businesses are under incredible pressure. Once they bring product to market, they must constantly outdo themselves, and the pace of change can by dizzying and financially risky.
The Cost of Going Live With Vulnerabilities
Cyber attackers are constantly looking for new ways to achieve their nefarious goals. If they find a vulnerability in your software, hardware, or service, you can bet they’ll exploit it for all it’s worth. And sometimes these security flaws are discovered by white hats doing research. While this second scenario is preferable, you’ll still need to scramble to issue a fix. Either way, all the momentum and business value you created with your new or updated product can (and likely will) vanish in an instant. Even though business leaders know this, the pull to get something—anything—out there can be much stronger than the desire to wait for security perfection, especially if they’ve embraced the “fail-fast” mantra. And on the flip side, developers are pressured to reserve such digital acrobatics for the sexier stuff, so security often gets pushed to the side.
At The Intersection of Quality And Risk
When people talk about product quality, they are usually referring to the features and workflows that behave the way they’re supposed to, at least from the end-user side. But that doesn’t reflect whether the underlying code and functions contain any potential vulnerabilities. From a marketing perspective, the concept of the “whole product” considers not just the actual goods, but everything customers need, including documentation, training, support, etc. Security is not traditionally included in the whole product, but considering the bad customer experience of being hacked by the same technology they’ve employed, it probably should be.
Risk management, on the other hand, is about identifying and controlling activities within an enterprise to minimize the effects of risk on the organization’s assets and revenue. Traditionally, risk management focused on financial risk, but cyber risk—which can have significant financial consequences—has increasingly become part of the overall risk program. No longer just IT’s responsibility, it has board-level visibility and consequences.
Unclear Ownership of Product Security
In most companies, goods are owned by product managers who define the overall strategy and requirements for its success. And while security is often—one might even optimistically say almost always—on top of the mind, the focus is mainly about aligning functional requirements with customer needs. Having said that, the word “security” doesn’t appear anywhere on the product manager Wikipedia page. It’s a telling omission.
In the IT world, a defense-in-depth approach layers physical, technical, and administrative security controls throughout the infrastructure. Layering security throughout the product development lifecycle is just as critical. It requires not just software, environmental, and hardware controls, but also secure coding practices, as well as QA that looks for security problems in addition to functional issues.
It Literally JUST Happened Again
Last week, there was yet another major hack revealed that illustrates the point. A sophisticated attack that enabled hackers to gain control of around 50 million Facebook accounts exploited vulnerabilities in the “View As” feature. The feature exists to let users see how their profile looks to other people. It’s useful to help people determine which privacy settings they want to set. “View As” behaved the way it was supposed to from purely a user functionality perspective. But there was a weakness in the code—in the specific way it was implemented—that exposed information about users’ access tokens which could be used to log in and control their accounts.
It’s Only Going To Get Harder
More and more, innovation is being driven by data. Apps, services, and devices are creating and collecting massive volumes, which can be consolidated and crunched to create new apps, services, and devices. This data is a valuable asset—to businesses and to hackers. But, it’s not just about securing data. As everything is increasingly connected to everything else, it provides us with cool new stuff, and it provides attackers with opportunities to find a way to get to the data they’re ultimately looking for (which is what happened in the latest Facebook breach) or to control a machine or device as part of a botnet or for cryptomining. More data and more connections are good for innovation, but so is security. Speed to market is important, but given the high stakes involved, security is even more important and needs to be an integral part of the go-to-market process.