Not incorporating security-by-design is costly and puts the business in a vulnerable position. The sector has come a long way, but still needs to be better at including cybersecurity from the get-go.
What does the survey show?
When asked about the development of their latest digital solutions, almost half of the respondents indicate that cybersecurity was taken into account before the actual development of the solution. Forty percent indicate that they started taken cybersecurity into account during the development or before implementation, while 10% say that this happened as part of or after implementation. None of the respondents say that cybersecurity was not taken into account at all. Two percent indicate that they had not taken cybersecurity into account until an actual cyber-attack (or attempt) prompted them to.
Q: Think of the last time your company developed a digital solution (e.g. Iot, cloud, robotics or similar). When the development process was cybersecurity taken into account?
Businesses need to be proactive in their approach to cybersecurity. It is costly and ineffective not to take cybersecurity into account from the beginning in all design and system-development processes. Half of the respondents indicate that cybersecurity is taken into consideration before the actual development of the solution. This is positive and it supports the general trend that we have seen in the past 10 years, with cybersecurity having gone from not being considered at all to now being recognised as an instrumental part of product and system-development processes. We have come a long way when it comes to security-by-design, and it is important to recognise this positive development.
However, half of the respondents are not doing security-by-design – taking cybersecurity into account before actually starting the development of a solution. This number is too high. Not only does this increase the business’ vulnerability; in many cases, it also makes the solution more expensive, especially if the security efforts need to be integrated once the solution has been implemented. Our qualitative data suggest that businesses really have the intention of getting better within the area. When asked about what would make them rank their own general cybersecurity higher, respondents pointed to exactly this – getting better at taking cybersecurity into consideration from the beginning.
The bigger picture
Secure Development Life Cycle
It took several years for companies to recognise that security should be considered as part of the systems development life cycles (SDLC). Now it is time for companies to evolve their ways of thinking and embed security in every phase of the SDLC. This does not necessarily mean that additional security measures will be required in every case; rather, it means that when security is being considered, tangible steps are taken to integrate security solutions into the product, technology or value chain in question. It is positive to see that we are now considering security as part of SDLC; this should now result in actual secure-by-design solutions.