Secure by Design
The only way that any company is going to get to real security is if they get to Secure by Design.
What does that mean? Well, there is no hard and fast definition, but here are some good suggestions:
- LIMIT SHADOW IT
You can’t protect what you don’t know is there. Shadow IT also has some potential legal liability issues for companies, especially in regulated industries. Start by inventorying what your people are actually using, whether IT approved it or not. Then figure out what data is being stored in those systems. The answer may surprise you.
2. ADOPT ZERO TRUST
If you think there is no hard and fast definition of secure by design, wait until you try to find one for zero trust. Like secure by design, zero trust is a framework and a come-from. The more you operate as a remote workforce, the more important this is.
3. STRENGTHEN SOFTWARE DEVELOPMENT PROCESSES
Even if you only use commercial and cloud software, you need to have robust software development practices. Part of this is making sure your vendors are creating software securely and part is making sure that you are using that software securely. If you are developing software internally or paying someone to develop software, you need to use the NIST secure software development framework (SSDF) as part of your development process.
4. LEVERAGE RED TEAMS
Red teams are ethical hackers that you hire to try and break in. If they succeed, and they likely will, you harden your systems. Then rinse and repeat.
5. PEOPLE, PEOPLE, PEOPLE
Your people are the MOST IMPORTANT part of your security processes. Include them. Train them. Listen to them. It starts with the Board and the C-Suite — lead by example. I remember when Marissa Mayer was CEO of Yahoo. When asked about password protecting her phone, her response was that she would have to unlock it too many times a day. That is the same company that lost the information for 3 billion of its customers. If you don’t think those are related, talk to us.
If you need help implementing these practices, give us a call. We would be happy to help.