Throughout Cybersecurity Awareness Month, I’ve spent some time engaging in conversations with friends and family in an effort to “do my part.” Though I’m not a security practitioner, I do try to raise awareness about cybersecurity’s impact on our privacy, children and national security. Sometimes, though, I feel like Dante in the Inferno when he stood at the foot of the hill looking upward. As he began his trek up the hillside, he was repeatedly met with some downright scary obstacles.
For those who have read the Divine Comedy, you know that Dante did not give up, but he did have to take the long way around. Surely, that’s a lesson that applies to businesses when it comes to cybersecurity. Along their security journeys, they may suffer a data leak from a misconfiguration, be the victim of a ransomware attack or get hacked because they didn’t patch a known vulnerability. Alas, sometimes the only way to get out is to go through.
That’s why this week’s theme focusing on making security a priority is important for everyone, from the consumer to the startup and even the global enterprise. “For businesses, this means building security into products and processes,” the National Cybersecurity Alliance wrote. “Cybersecurity should not be an afterthought.”
Recently, I had a conversation with a friend who is the CEO of a startup. When I asked how they were addressing cybersecurity in their app, she said, “That doesn’t really involve me.” I tried not to reveal the surprise in my facial expression or tone. In reality, though, this situation is not an anomaly, which is why I want to focus on raising awareness around building security into products and processes this week. To do that, I asked Megan Samford, Chief Product Security Officer – Energy Management at Schneider Electric, where companies should begin and why CEOs need to be involved in the process.
“CEOs should care about the product cybersecurity capability of their company because it’s an intrinsic element of their products’ quality and the mission of their company,” Samford said. Too often, though, there’s a disconnect between business leaders and security teams. It’s not enough to trust that the DevOps team has met the compliance requirements for an app to get into the Google Play store.
“Companies getting started on a product security journey should identify a standard or controls framework, such as IEC 62443 and NIST CSF, to baseline requirements for their program (secure development lifecycle) as a whole, products and (as applicable) systems,” Samford said.
The journey toward security doesn’t stop there, though. Once a standard or controls framework has been selected, Samford said, “A company should begin defining security features needed for their market, taking into consideration the function and application of the products and the consumer base.”
“How does this relate to the CEO? The reality is that a compliance checklist doesn’t make a product secure. If an attacker is able to leverage a vulnerability that results in a security incident or a breach—particularly if the company failed to apply a recognized standard or controls framework—that company can be exposed to liability issues, brand damage and potentially life safety impact concerns should an incident occur in a customer environment,” Samford said.
What’s equally important about this week’s theme is that the onus of responsibility isn’t squarely on the company. It’s important for customers to do their part. Let’s face it. If customers demanded security in order to invest in a product, companies would prioritize security. That begs the question: What does prioritizing security look like?
Samford said it’s a combination of strong security features that may include a hardware-based root of trust, a small trusted computing base, defense in depth, compartmentalization, certificate-based authentication, security renewal and failure reporting.
While all of that may sound foreign to a customer, there are questions they can ask as part of their due diligence. “Customers wishing to understand a company’s product security maturity should ask questions around the company’s secure development lifecycle, security features and requirements and the vulnerability handling and disclosure program, which should be public on a company’s website,” Samford said. “Mature companies will seek and be able to provide certifications demonstrating consistent application of the standard.”As we try to elevate awareness, I see in the headlines what many businesses are going through. Those that are on their security journey know all too well that sometimes it has to hurt in order to heal. Let’s try to move out of Limbo, lest we suffer the eternal punishments described in Canto III of Dante’s Inferno. Remember, the goal of this week and month is to remind people that apathy is not a strategy. If we all keep cybersecurity top of mind, we will build a more secure world.