Security by design, not insecurity by default

Mockup image with padlocks to symbolise a cyber security vulnerability
(Image credit: Shutterstock)

As a driver, you never really think about the inner workings of your car's handbrake. Nor should you. Whether you're parked on a flat road or a hill, it just works and ensures your car doesn't roll.

Drivers and their passengers don't concern themselves with questions about whether the handbrake will work they just trust it to do its job. Until it doesn't and that's when panic sets in...

The same is true of tech security. It's importance cannot be understated, yet to ensure it truly works requires it to be so sophisticated and intuitive enough that users don't need to think about it.

If users start to think about it, they will question it. It's human nature. They may even start to doubt it or work against it. The reasons behind this are unknown, but real nonetheless.

As such, business and IT decision makers in organisations of all sizes need to recognise and deal with the reality of being insecure about security and ensure they focus on security by design rather than allowing vulnerabilities through being indignant.

People talk about transparency a lot, but when it comes to security, in a strange twist of events, you almost want the opposite. It needs to be opaque to users something they know is there but don't overthink.

But, behind that opaque facade lies a great deal of sophistication. A lot of work has gone on behind the scenes to bring about a level of security that users aren't even aware of, but is doing the utmost to keep your data and company info safe.

The value of data

Data and people remain the two biggest assets any organisation possesses. As such, companies must focus on protection, retention and optimisation of both elements.

"Anyone properly valuing a business in today's increasingly digital world must make note of its data and analytics capabilities, including the volume, variety and quality of its information assets," said Douglas Laney, vice president and distinguished analyst at Gartner.

Digital transformation is big business, with fellow analyst firm IDC predicting some $2 trillion will be spent worldwide on related technologies come 2022. This significantly surpassses spend levels to date, showing the appetite for digital transformation is real and growing.

Gartner concurs with the focus on digital and what else needs to happen to support businesses on their journey there.

"Security leaders are striving to help their organisations securely use technology platforms to become more competitive and drive growth for the business. Persisting skills shortages and regulatory changes like the EU's Global [sic] Data Protection Regulation (GDPR) are driving continued growth in the security services market," said Siddharth Deshpande, research director at Gartner.

"Security and risk management has to be a critical part of any digital business initiative," he added.

The role of security in digital transformation

Everyone understands the importance of security. However, it's only the few who recognise its significance when it comes to digital transformation, it would seem.

"All too often, security is an afterthought in the digital transformation effort. As organisations transform their business digitally, it is imperative that they take security into account early in the cycle," said Christina Richmond, programme director of IDC's Worldwide Security Services.

There's another reason the industry has a responsibility to make security a default rather than an add-on, too. Despite a universal recognition of the role security should play in digital transformation, just 31% of decision makers put it high up on their list of concerns relating to the topic, according to a study by Forrester Research.

"The data that is being generated by companies is a source of value for companies and that should be first and foremost in all of their [CEOs] conversations around how they're going to transform their business. [It's about] using technology as an enabler and taking advantage of the data being generated to make better business decisions, to be more competitive and to give them an opportunity to grow their business," said Richard Curran, Intel's chief security officer for EMEA.

"There have been fundamental changes in data protection, in the industry that is going through a major transformation as well. We talk about transformation in most vertical industries and security needs to go through a transformation too."

It may have been a prediction from 2016, but Gartner's suggestion that 60% of digital transformation projects will fall down due to a security service failure by 2020 is no less relevant.

"Cyber security is a critical part of digital business with its broader external ecosystem and new challenges in an open digital world," according to Paul Proctor, vice president and distinguished analyst at Gartner.

"Organisations will learn to live with acceptable levels of digital risk as business units innovate to discover what security they need and what they can afford. Digital ethics, analytics and a people-centric focus will be as important as technical controls."

Security as standard

We all know users can be the weakest link - whether they want to admit that or not, the fact remains.

Indeed, research commissioned by ObserverIT and carried out by the Ponemon Institute, in early 2018 found that insider threats are on the rise, with the average annual cost being not far off $9 million per organisation.

"This research reveals that ignoring the growing threat posed by insiders can be costly for businesses of all sizes and in all industries," said Dr. Larry Ponemon, chairman and founder of Ponemon Institute.

"The increasing cost of insider threats whether caused by negligent or malicious actors is extremely detrimental for organisations, potentially costing them millions of dollars annually."

So, then, what can be done to counteract the ill effect of users well-intended or otherwise?

"Rather than looking at security as something we put at the back end we need to look at an upfront and security-by-design philosophy. In all transformational strategies and decision making, one needs to put security as an embedded part of the discussion," Curran advised.

"[There needs to be] an understanding that up front about personal data loss or a loss generated by machine to machine or data in general. Because, fundamentally, it's the data being generated that is going to provide you with the source of value. And if that is compromised in any way, there are serious consequences," he added.

This is where Intel has somewhat of a USP. It recognises that security layered purely on software can only go so far in the fight against software-based security threats.

"For CIOs around the world nothing today demands more attention than protecting the enterprise against increasingly advanced cyber security threats. To detect and protect against modern threats, today's security solutions continually update themselves to stay ahead of the game," said Jim Gordon, general manager of platform security at Intel.

"Some rely on spotting known signatures, others rely on spotting suspicious behaviours, but they all use a layered approach, with each layer working in a different capacity to provide protection. Even so, modern and evolving threats are increasingly evading current solutions and advanced attack techniques can circumvent software-only approaches. To reduce the likelihood of that happening, Intel is innovating by coupling CPU data and software to detect threats, making such detection easier and more difficult to circumvent."

Gordon added: "Intel brings a fundamentally different approach to the industry with Intel threat detection technology. Using silicon to improve the efficacy and performance of security solutions. That is the power of hardware-enhanced security."

Intel's approach makes use of CPU data, AI algorithms and GPU offload to handle and optimise security workloads by offloading certain tasks from the CPU to the GPU. As a result, users benefit from a better experience as well as enhanced battery life and performance.

Security evolution towards revolution

There is still some debate as to who is or what should be responsible for security in an organisation. That's why a co-operative approach where decision makers work with vendors and, where applicable, government to unite in the fight against security threats, could be key.

"The CISO is also going through a transformation. They're very much in a reactive position and that needs to change. Ultimately, you have in the industry a huge shortage of skills and you have a dramatic increase in the amount of threats and the complexity associated with those threats," Curran added.

"You have increased governance like GDPR, and that increases the responsibility for the management of that data As a result, one needs to understand how you're going to incorporate a fundamental security strategy that's going to be part of the strategic direction of the company from a security perspective."

This, Curran said, means the role of the CISO or whoever is charged with security in the organisation regardless of their moniker has evolved from being purely reactive to much more strategic and forward-thinking. They now, in essence, really have a seat at the table in ensuring your organisation remains secure.

"Security is very much like business outcomes in any other part of the business. One needs to understand the risk associated with making decisions about where to put your investment. As a result of that, one needs to understand, from a business outcome perspective how you're going to create and implement a strategy around data protection. [It's that] rather than buying point solutions to protect your data. That is a reactive approach," Curran said.

"CEOs need to look at data protection officers or CISOs who are going to be a fundamental and integral board member rather than someone who is going to keep the lights on."

Curran added: "Software encryption is really good. There's a lot of really good products out there. We have many partners who have developed really good security based platforms. However, ultimately, we believe if you're looking at the growth of data, and how one needs to have a multi-cloud strategy, and the future of data centres and how you manage that capability all the way out the the edge and that edge being client and IoT we believe one needs to ensure that you have an attestation capability that ensures you can ensure that particular device no matter what it is has a trust-based capability and that the environment knows that that device can be trusted. And that the data being generated by that device or being sent to that device needs to be trusted."

Software-based threats are increasing and spending on security products and services is expected to surpass $114 billion this year up 12.4% on 2017, according to Gartner. Fast-forward to 2019, and that figure is expected to hit $124 billion. So, it's clear that new models of prevention rather than just cure are essential as things intensify.

"We are seeing a fundamental shift. It's not only a software driven value proposition in the security market. Now, the hardware and the security-by-design philosophy is looking at the capabilities of the hardware and [ensuring] the capabilities of that hardware are working together with the different types of software solutions out there," Curran said.

"We have got technologies today we make available to the software industry they can take advantage of the security to provide a route of trust, to provide a better attestation capability, to provide a geo-boundary or geo-location-based capabilities so that one knows when data or workload is being used on that device it is directly accredited to that device. So, if the data is moved to another location that data is a) encrypted and b) it won't be used. It's mapped and attributed directly to that device and that will increase your foundational security-based philosophy and that maps into security-by-design."

That way, according to Curran, threats can be more easily identified, quarantined and dealt with. And, he suggested, change is afoot with greater levels of intelligence being used in the fight between good and bad.

"Over time we are going to see devices make intelligent decisions to know that their state has been changed so they can actually move off the network, to self diagnose and ensure that before they go back on the network they've either been modified or the breach has been fixed," he said.

"The intelligence associated with that will come from AI and its ability to be able to analyse data faster and better. There's going to be a huge opportunity within the security market in terms of AI security and the ability to look at threat detection and analyse data down beyond the packet to be able to [tell] if that data has been manipulated in some way or some type of malware injected within that particular data set. As a result, the products within that whole framework can actually detect that as quickly as possible and either isolate it or correct it."

The times are a-changing and we all need to ensure we keep pace, especially where security is concerned. Hopefully, though, we will emerge stronger and more secure as individuals, businesses and industries if the glimpses of the future we have seen so far resemble wider reality.

"There's going to be so much data and so many products and devices, that the traditional way in which we manage security through a SoC or SIM based platform will be outdated," Curran added.

So, hold tight. But, remain afraid, too though. For that is what fuels our ability to fight. But, also, learn from experience and use that knowledge to avoid making the same mistakes again and again. After all, for every advance in technology we have that is good, several bad use cases are emerging just around the corner.

Discover more about data innovations at


ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.