3 Ways Companies are Working on Security by Design

  /     /     /  
Publicated : 23/11/2024   Category : security

3 Ways Companies are Working on Security by Design


Execs from top financial organizations and other companies share insights on building a security culture.


As cybersecurity professionals seek to bolster security culture across the enterprise, the concept of security by design has grown in prominence.
It has several interpretations: baking security fundamentals into development requirements, building less obtrusive security features for the convenience of customers, improving usability of security tools within IT organizations, or all of the above. But security by design stands at the forefront of securitys role in digital transformation.  
To kick off Cybersecurity Awareness Month, the National Cyber Security Alliance yesterday held a virtual 
2020 Cybersecurity Summit
 that featured luminaries from a number of organizations, including NIST, Bank of America, and Nasdaq. The big theme of the day was how security by design can aid in rolling out more usable security—for customers, internal users, technologists, and security personnel.
Heres what the speakers there shared on how companies today are working on security by design:
Building Usable Software Securely
One of the highlights of the summit was a session led by Hari Gopalkrishnan, the client-facing platforms technology executive for Bank of America, who discussed the development of the firms virtual financial assistant, Erica. An AI-driven platform, Erica was developed from the outset with security by design principals as a core part of success requirements.  
One of the key tenets before we got to anything functional was the fact that it had to be secure by design because to us security and privacy are table stakes, Gopalkrishnan explained. 
An obvious part of that was baking security into the design lifecycle, ensuring that data flows are secure, authentication is appropriate, and so on. Additionally, AppSec best practices like code scanning and security testing of deployed software continue to remain top of mind. Other less obvious parts of the security by design ethos that has driven Ericas development also included examining AI modeling for potential bias, as well as building robust options for customers to opt in or out of privacy-impacting choices around things like geolocation and data use. 
This is huge in an era of using digital information for personalization and tailored services. 
Some could argue a lot of, wow, wouldnt it be delightful if you could use all the data available to you, and when you be able to create a bigger aha moment for a customer, if you did that, and the answer is maybe, but we dont get to do that, Gopalkrishnan said. And thats not the role that we play. When we think about responsibility in software development and responsibility as a bank to deliver to our customers, everything needs to be transparent. 
Making Security Features Frictionless
Strengthening security functionality while removing friction from the user experience is a huge part of security by design. While security transparency is important, the goal should be to abstract security actions away from the users where possible, said Roman Shapiro, director of information security for Nasdaq.
Candidly, I think the industry is playing a little bit of catch-up in this regard, but weve learned to look closely at usage patterns — where you are logging in from, how you are logging in, and so on — taking sensible steps behind the scenes to give you the assurance you need that the session youre establishing is one you have confidence in, Shapiro says.
Multi-factor authentication is one of the biggest friction points for users, agreed Steve Clark, managing director and business unit information security officer for Bank of America. Clark explained that AI analytics of user patterns for the sake of authentication and authorization is increasingly going to become prevalent to reduce friction on that front, both in finance and in other industries.
Improving the Usability of Security Data
As security teams monitor how users are interacting with software assets and data on a daily basis, security by design will be crucial for setting security operators up for success as well. This means that teams are thinking closely about how the systems log user activity, what data is pulled from them and made available to SOC analysts, and how it is contextualized and enriched.
Whats difficult to do is pulling out the signal from the noise, explained Brian Vecci, field CTO for Varonis. The next few years are going to be not necessarily aggregating more log information or more information. Its going to be doing two things, creating more usable profiling that combines different kinds of information, not just logs, but other metadata that we have about users data, the devices that are being used, where people are coming from, the services that theyre using, the access and building really useful profiles about whats normal to identify patterns of misbehavior.
 

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
3 Ways Companies are Working on Security by Design