If companies are to reach their strategic goalsâreducing time to market, boosting sales, improving product market fit and brand image, and cutting cybersecurity costsâthen itâs time for a new outlook on software security.
Todayâs business leaders must learn to see security for what it is: A differentiating factor. Companies with reputations for secure developmental processes and infrastructure will rise above those known for data breaches.
Security as a Business Strategy
The road to a more secure companyâand realizing the perks associated with itâbegins with lean security. This is an approach to information security similar to the Toyota principles of management and production that calls for environmentally aware engineering, simplified coding, automation of security checks and constant incorporation of feedback.
Although some business leaders believe organizational security is inherently expensive, lean security doesnât mean massive costs. Much like DevOps, lean security champions process improvements and cultural changes above purchasing new tools.
Lean security does, however, require engineers to keep its principles in mind throughout the development process. In this way, security is much like sales: A sales representativesâ best strategy is to consider his goals from the beginning. Just as the salesperson isnât trying to make any sale, the engineer isnât trying to create just any product. For the salesperson, this means tweaking the sales processâperhaps by vetting leads before engaging themâto make profitable sales. For the software engineer, it means structuring the development process through lean security to create secure products.
Done right, lean security results in a self-defending, simple system created by people who are aware of a productâs real-world security risks and the companyâs business goals. Lean security recognizes your companyâs data is always at risk, no matter the size of the company or team, and it works to create value through systemic protection. Hereâs how to start:
Improve Environmental Awareness
Lean security approaches risk management as a team effort. Think about a hospital. Everybody working there â from the cooks to the nurses to the executives â has a responsibility to take care of patients.
Software firms must function the same way: Everyone from engineers to salespeople to the CIO must keep data privacy, software security and business needs in mind throughout product development and a productâs life cycle.
Environmental awareness means addressing security with the same sensibilities that you would your own life. Just as you donât hand your credit card to random people, neither should you hand the keys to a software engineer who doesnât know the risks of insecure development.
More secure coding begins with a change of mindset. Once team members understand a productâs security risks, they start thinking about how to create a more secure environment. If a developer is creating a mobile app for a car, for instance, then they must recognize the app will be used in conjunction with a device that carries human life.
Simplify Engineering
Complexity is the enemy of security. Simplification, however, cannot just be limited to lines of code: It means organizing your teamsâand thus, your entire systemâin a way that improves time to market and tightens feedback loops.
DevOps is a great way that business leaders can improve security through sensible reorganization. While the integration of development and operations teams has been lauded as a security boosting measure by software leaders at companies including Dell, CA Technologies recently studied DevOpsâ business benefits. It found companies that have implemented DevOps techniques are 2.5 times more likely to improve customer retention, twice as likely to grow their revenues and 3.4 times more likely to improve their market share.
In short, keep teams compact and agile and design with the end in mind. The more lines of code you add, the more complex teams you create and the more times you reinvent the wheelâand, ultimately, the less secure and less profitable your companyâs products become.
Automate or Die
Automation is an essential component of lean security, and DevOps engineers are no strangers to automation. Threats are constantly increasing, and no engineerâor team of engineersâcan discover and remedy them all manually.
Look to Netflix for a great example of automated security. Once upon a time, Netflix addressed malware alerts by manually creating a help desk ticket and assigning an engineer to investigate the problem. The time from alert generation to eventual resolution, according to Netflix, often spanned more than a week. As Netflixâs security challenges increased in both diversity and complexity, it found itself spending exponentially more time and money combating these threats.
Then, Robert Fry, Netflixâs senior information security architect, came up with a brilliant solution: He engineered FIDO, an orchestration layer that automatically evaluates, assesses and responds to security threats. FIDO detects threats, then scores them based on the attackâs intended target and other factors. FIDO then attempts to mitigate the event by closing a network port, ending a VPN session or disabling the account.
Tools such as Netflixâs FIDO automatically detect risks in seconds, while it could take a human months to stumble across them. Think of security automation like a home security system: ongoing, vigilant security without the need for continued manpower.
Measure Everything
Although its origins are disputed, many credit English mathematician Karl Pearson with quipping, âThat which is measured improves. That which is measured and reported improves exponentially.â
Development teams should take Pearsonâs wisdom to heart, and measurement must begin with identification of goals. Is your goal to reduce application downtime or decrease event response time? Then itâs essential to measure mean time to repair. Do you want to reduce code defect density? Begin by measuring the number of issues per thousand (or million) lines of code.
Once youâve identified goals, use software to track progress over time. Etsyâs engineers built a tool they call StatsD. The software helps Etsy monitor everything from login failures to coffee availability. The data is then displayed in handy graphs to help the team make sense of the information.
Once youâve taken baseline measurements, be sure to review your metrics on a regular basis. For instance, you might realize an applicationâs deployment times arenât where youâd like them to be. Keep measuring resultsâand keep trying new thingsâto nudge those values into better territory. Just remember: You cannot improve that which you do not measure.
The Business of Lean Security
The value of a secure, simple system cannot be understated: It means getting products to market faster; it means better public perception and press; it means more satisfied customers who feel secure using your product; and it means fewer disruptions in engineersâ work schedules. At its core, lean security lowers a companyâs overall exposure to risk and reduces its expenses.
Companies are already staking their futuresâand consumersâ safetyâon code that facilitates transactions, drives vehicles and manages power plants. The Internet of Things will soon run everything from toasters to jet engines, and security will grow even more important. Protect your company from within through lean security.
