OR - What is the Right Level of Paranoia?
With all of the emphasis on innovation why is it that security is the last think on the agenda? Starting with the Quality Gurus (Deming, Juran, Crosby and others) designing quality in to the product and process is always the first thought. Research has shown that by designing in quality the cost of the product is lower and the quality higher. Seems like a good thing but when you put security into the mix it gets placed at the end of the attention line. Just as it took years for the ideas of the Quality Gurus to be accepted and implemented, it will take years for the concept of designing in security to be accepted and implemented. The trouble with the delay is the speed of technological innovation makes it difficult to append it to the end of the process. About the time you get around to adding security to the product you are starting the new product design cycle.
Why is this more important now?
As the implementation of “Smart” everything takes hold, we become more dependent on those technologies and more exposed to problems when these “Smart” things don’t work as they should. In a conference brochure I received from MVNO s North American conference, which is happening along with a Smart Cities Summit and Enterprise IoT World, there are only two clear references to security in any of the sessions. There may be more but in my attempts to find them I was unsuccessful. The speed of change in technology should be causing us to be more aware of the need to design security into our products and services.
How do we change the dialogue?
I challenge all who read this to start the conversation where ever you can:
- Hold your own lunch and learn sessions for developers (especially those involved in agile development activities);
- If you are lucky enough to attend a non-security conference, challenge the speakers to explain where information security fits within their presentation; and
- Be a Pest (not to the extent that it will get you fired but be someone that always looks for opportunities to advocate for the inclusion of security within the design of the product or services).
Final Thoughts (for now)
I recall the difficulty of implementing any quality improvement process at a large automotive manufacturer where it was more important to meet the production quota than produce quality products. That, thankfully, has changed and quality has become just another part of the design and manufacturing processes. I recall one conversation around a cost reduction target that would have required a 10% reduction in workers. My analyses revealed that a 2% reduction in scrap could achieve the same cost reduction target and at the same time increase the quality of the products being produced. I think that similar results could be achieved if security considerations were included in the design process. Not a cool as Hunter Teams or fighting the latest APT, but maybe better for the company and the customer.