5 minute read 17 Dec 2021
Man surfing in a wave

How businesses can ignite digital transformation with Security by Design

By Tom Slattery

EY Ireland Technology Consulting Partner

Tom is a Partner in our Technology Consulting practice, supporting client adoption of technology to transform business.

Contributors
Frank De Azevedo
5 minute read 17 Dec 2021

Too often, security is an afterthought in the transformation process. Identifying risks early and evaluating security improvement opportunities throughout the process using Security By Design helps avoid costs and enable success.

In brief
  • Organisations that embrace Security By Design are generally at a higher level of maturity with security and resilience than more reactive counterparts.
  • The earlier you “shift left” the better.
  • Five steps to secure by design

Now more than ever, organisations must assess the breadth of their business and consider a variety of levers when embarking on their digital transformation journey. Digital transformation initiatives provide solutions across three areas - strategic (markets, channel, pricing), structural (organisation design, locations, suppliers, technology, capital) and operational (digitisation, productivity, data, controls). Securing your digital journey is key to successfully building future business while exceeding investor expectations within regulatory boundaries.

Applying too fine a focus on technology may result in organisations missing unique opportunities to fundamentally transform their businesses and move to a digitised world embracing greater flexibility, scalability, and collaboration. Cybersecurity risk should be a core consideration at the heart of any corporate digital transformation initiative, and Security by Design is an important principle that can help ensure success. By identifying risks early and evaluating security improvement opportunities throughout the transformation process, organisations can avoid costly errors and truly enable success.

Security by Design offers strategic benefits

The EY Global Information Security Survey (GISS) 2021¹ found that organisations that embrace the Security by Design approach are generally at a higher maturity level in terms of security and resilience than their more reactive or compliance-led counterparts. There is a need for organisations to “shift left” and assess or test earlier in the process to help ensure the success of their digital transformation initiatives. More than two-thirds (68%) of the Irish cybersecurity leaders surveyed said that their teams were sometimes consulted too late, and often not at all, when their organisations made strategic decisions². This is a significant oversight given the increase, in terms of volume and impact, in threat activity globally and locally since the start of the pandemic.

Some of the key challenges that development and security teams face are:

Development teams

Security teams

Increased compliance requirements

Being included too late in the Software Development Life Cycle (SDLC)

Additional overhead of security reviews Being expected to sign-off on go-live without adequate engagement from the start
Difficulty translating security controls into security features

Increased demand for security services

Security by Design is a proactive, pragmatic, and strategic approach that seeks to consider risk and embed security from the outset, and at every stage of a new initiative. The security “shift left” facilitates collaboration amongst development and security teams using iterative and continuous development methodologies to discuss, design and implement security controls, reducing not only security risk, but also longer-term costs. By applying Security by Design principles, organisations can integrate appropriate countermeasures into solution designs and architectures, avoiding the higher costs that would arise should these requirements only be identified during implementation, test, or worse still, in production.

“Where cybersecurity is involved from the start – focussed on security and privacy by design – there is an opportunity to work with regulation and compliance in mind from the beginning, rather than having to reverse-engineer it,” advised Carol Murphy, EY Ireland Consulting Partner and Head of Technology Risk.

Five steps to secure by design

To respond appropriately to the challenges posed by an ever-changing threat-landscape, organisations must start to consider Security by Design in their SDLC, aligning security-related processes and activities with development activities, and promoting collaboration between security and development personnel. Risk cannot, and need not, be avoided altogether but, by recognising potential pitfalls early, risk-appropriate security decisions and controls can be adopted, resulting in an overall more cost-effective solution delivery process.

Here is what organisations can do to embed Security by Design into their digital transformation initiatives:

  1. Establish a Security by Design framework and principles so that there is an understanding of how and when a Security by Design approach is required.
  2. Establish processes to ensure that security risks are identified early, assessed continuously, and managed appropriately
  3. Conduct security workshops with business and security teams. Use these to develop threat models to identify a common perspective of key risks to be managed through the technical solution and supporting processes under development.
  4. Provide stage-gates and decision points at different phases to ensure that no progress decision is made without an assessment of risk.
  5. Implement tools and controls, supported by automation, to limit process deviation and increase efficiency.

By following a Security by Design approach, organisations can identify critical risk-based requirements up front. These can provide a reliable, repeatable base for broader use. The consideration and use of Threat Intelligence (TI) and modelling, Zero-Trust (ZT) architectures, Secure Access Service Edge (SASE), Data Loss Protection (DLP) and Security Orchestration and Automation Response (SOAR), as well as traditional security mechanisms such as firewalls, Intrusion Protection Systems (IPS) and Security Incident and Event Management (SIEM) are now even more essential.

New approaches, such as DevSecOps, allow faster delivery of change in the digital paradigm and require faster, more secure delivery mechanisms. DevOps tools help businesses to innovate at speed. DevSecOps, if deployed strategically, can elevate compliance maturity levels, boost productivity, and reduce time to market. DevSecOps supports continuous innovation that requires a strong security underpinning. It builds security into products and helps automate cybersecurity practices so that they are utilised for continuous deployment.

Earlier you ‘shift left,’ the better

No matter where you are on your digital journey and whatever delivery methodology you are using, the basic concept of planning and requirements definition, design, test, and build remain unchanged. By keeping to these basics and ensuring the security requirements remain relevant, organisations can mitigate the increased security risk presented by digital transformation in a controlled manner. In addition, this approach allows all project stakeholders to remain comfortable with the specific methodology variances of design, build and test.

Today’s transformative age no longer consists of simple niche innovations. These are now global networked systems which will themselves become interconnected and will increasingly form the basis of everything we do day-to-day. The new normal demands that organisations develop and use modern technologies to adopt a Security by Design approach and start “shifting left” to consider security earlier in the development pipeline. Those who fail to do so may reduce their competitive advantage, compromise their regulatory position, and increase their risk exposure. A proactive, pragmatic, and strategic approach that considers risk from the outset – rather than as an afterthought – can make the difference between those who stagnate and those who thrive in the digital transformation age.

Summary

Organisations today must innovate to survive, but in doing so face ever-growing threats from cyberattacks. Businesses need a new perspective that considers cybersecurity as a fundamental component of any product or service. Introducing a principle of Secure by Design can help organisations minimise disruption, especially in the hybrid workplaces of this new normal.

About this article

By Tom Slattery

EY Ireland Technology Consulting Partner

Tom is a Partner in our Technology Consulting practice, supporting client adoption of technology to transform business.

Contributors
Frank De Azevedo