Start secure to be secure

As long as human beings have roamed the earth, the need for security has existed. When civilizations evolved, so did the need for more sophisticated security. Security technology has advanced from structurally sound walls and doors to mechanical and electronic locks, followed by complex monitoring systems and biometric technology. Thanks to the internet, digital networks and unlimited software development possibilities, there is a whole new domain called cyber space that must be secured. 

To provide some context around the magnitude of cyber space, in 2020, it’s estimated that world population has grown to 7.8 billion people – with the estimated cyber space population reaching 4.6 billion. That doesn’t even include the Internet of Things (IoT) and tells us more than half of the world’s population has an “alternative” footprint in cyberspace. To bring the stats closer to home, the United States population is roughly 331 million people with more than 313 million people connected (94.5%) in cyber space. 

As physical information and currency migrated to digital mediums, the escalation of cyber crime also grew quickly. Information security has been running to keep up with not only the constant advances in technology, but the sophisticated and evolving tactics of bad actors. In the early days of information security (pre-internet), the strategy was an insulated defensive and deter approach and, therefore, considered an afterthought in technology development riddled with retrofits and regression bugs. However, in the past several years, industry has been moving to more integrated and proactive strategies across the technology landscape, ensuring that security is an integral part of the technology development lifecycle. Truly good security must be baked into the design process, from ideation to development to execution and deployment at all levels of every organization. Needless to say, this reached a new level of importance within our current operating environment. We have seen the impact on how we work (more remotely), what people need (more flexibility), and how we can continue to protect our broader cyber ecosystem during times of sudden change (from the increase in cyber crime).

Today’s cyber security exploits are much more inconspicuous and invasive, as technology advances (IoT and 5G) offer cyber criminals new weaknesses in systems and networks, including the human aspect. Bad actors trolling cyber space will stop at nothing to gain entry to systems – searching for assets and data – including the use of employees, customers and family members as unsuspecting accomplices. This generates a whole new scale in security defense. 

Cyber security is no longer just a routine or control for engineers and developers, it’s a mindset, responsibility and behaviors that need to be a part of everyone’s daily habits. The theme for this year’s Cyber Security Awareness Month is “Be Cyber Smart – If You Connect It, Protect it.” It’s time for all people that click, surf, open, “like” or share information on any piece of technology or app to join forces with the industry. In addition to baking good security into the technology design process from the start, we all have to work together to create a resilient culture of cyber security within our organizations, homes and communities.

One security practice to follow is Secure by Design, a discipline that has been around for decades. The Saltzer and Schroeder principles on Secure by Design clearly define steps that can be taken upfront, when integrating security into infrastructure, operating systems and applications. It is more important than ever to ensure that development teams, including external third-party technology providers, are cross-collaborating on technology projects at early stages. Like most processes and principles, Secure by Design has matured within information security development. Could timing be right to ask the question, “where can the concept of Secure by Design go beyond the traditional IT and information security departments? How do we support and infuse these concepts in the minds of our employees, clients and broader communities operating in cyber space?

If cyber security is to be foundational to business decisions and every product developed for customers, then security must be included from the very moment business requirements are being established. A security professional should already be embedded on technology development teams. As they are in motion to meet constant customer demands for added digital and mobile services, security is already part of the plan. It can be a shift in mindset to practice Secure by Design principles, and one worth the effort in fostering behavior to think about security during every stage of technology design.

It is paramount that every organization protect the confidentiality, integrity, and availability of business systems and customer data. But as cyber security technology has improved to lock out bad actors, criminals are modifying their exploits by using the human factor and preying on unsuspecting people with social engineering tactics. We have to do more than create awareness to combat the evolving tactics, we need to help people change behavior and develop a security mindset.

Increasing the protection mindset with a Secure by Design approach

As much as 2020 has challenged every business, there is some good news around employee behavior toward technology and security. The shift to work-from-home for employees has pre-conditioned the development of individual responsibility with regards to technology and a protection mindset. Employees are exhibiting more self-sufficiency and increased confidence with technology skills. Now is the time to build on cyber security education around individual responsibilities, skills and tools to create more resiliency.     

As organizations see the value of focusing on a security mindset and culture for everyone, attributes of Secure by Design can be helpful throughout the educational process. Two key principles are simplicity and acceptability in the process for change. To get employees (or family members) to engage in a protection mindset as new behavior, the change in habits have to be: 1) easy – to learn, remember and execute, 2) rewarding – they want to feel like they are making a difference, 3) normal – they want to be part of a normal practice/routine around the office. 

If we’re going to create more resilient organizations and communities with secure cyber ecosystems, we need to ask ourselves the tough questions. What more can we do? Our approach to security during every stage of technology development and technology use has to be more sophisticated than criminal tactics being deployed today. Security doesn’t just start early in the design process, it’s critical to every single step forward in the journey and it is everyone’s responsibility.

About the Author, Craig Froelich

Craig Froelich is chief information security officer for Bank of America. He leads a team of experts in 13 countries dedicated to protecting the money and information of the company’s individual consumers, small and middle-market businesses and large corporations. The Global Information Security (GIS) team provides defenses for current and future threats within the company and partners closely with industry and government associations to keep the sector secure.  He has long supported programs that narrow the gender gap in technology, serving as an executive sponsor for Girls Who Code and participating in the company’s employee networks, and advocacy groups such as Women in Technology & Operations.

1 Source: World Population Review

2 Source: Internet World Stats

3 Source: World Population Review

4 Source: Internet World Stats

 5 “The Protection of Information in Computer Systems” (1975)