Security does not simply drop off the \u2018to-do\u2019 list as soon as a project is completeTom Moore, Aura\nWhen a project team sets out to implement a new IT system, all too often, the topic of security isn\u2019t given enough consideration until it\u2019s far too late. While common sense might dictate that security vulnerabilities are likely to be more expensive and time-consuming to fix after the fact, it is still frequently overlooked (or simply cast aside) until later in the piece. Not only does this put the project itself at risk \u2013 an unsecure system can also result in significant financial or reputational risk to the entire business.\nThe reason why security is routinely an afterthought is something that continues to baffle security experts. Tom Moore, Practice Manager for Australia and New Zealand at leading Wellington-based cyber security firm, Aura Information Security, explains why businesses need to adopt a \u2018Secure by Design\u2019 approach to not only minimise the likelihood of projects running into unexpected cost; but also avoid exposing the business to unnecessary risk.\nSecurity as an afterthought\nIt\u2019s true that the security aspect of any new IT system probably isn\u2019t going to be the thing that gets the project team excited. Security relies heavily on people and process \u2013 and everyone is likely to be focused on designing and building the amazing technology rather than the security of it. Unfortunately, it\u2019s precisely this sort of short-term thinking that leaves vulnerabilities in your IT that can be easily exploited by cybercriminals. \nOne example of this in action is the recent hack of American consumer credit reporting agency Equifax, where it is reported the identities of up to 44 million people were compromised. In that hack, the customer details acquired by the hackers could then be used to fraudulently open lines of credit. Equifax \u2013 a listed company \u2013 saw its stock lose 13 per cent of its value in the immediate aftermath.\nDespite the constant barrage of highly public security compromises, and the significant financial and reputational impact they have, the level of maturity and awareness relating to the business risk that information security represents is mixed at best. Government tends to be somewhat ahead of the game, however much of the private market is immature with a tendency to rush into delivering the functionality desired by the business.\nUnfortunately, for many businesses it often takes a negative experience to put the topic of information security on the agenda. Our team is regularly called upon at the eleventh hour to help remediate security vulnerabilities that could have easily been fixed much earlier in the project \u2013 often under the watchful eye of a project manager whose deadline and budget is fast approaching, or well passed. \nNo caption\nWhen you buy a car, you expect the manufacturer has considered safety features such as seatbelts and airbags before they started thinking about performance and aesthetics. The same should apply when implementing a new IT system.Tom Moore, Aura\nWhy be \u2018Secure by Design\u2019?\nBy adopting a \u2018Secure by Design\u2019 approach, businesses can identify security risk in the early stages, and remediate vulnerabilities when it is most cost and time effective. Essentially, \u2018Secure by Design\u2019 is about proactively managing your information security risk throughout the project, which in turn enables you to deliver a secure outcome to your business.\nThink of it this way: Imagine trying to retrofit seatbelts, airbags, and crumple zones to the design of your car \u2013 sounds hard, doesn\u2019t it? When you buy a car, you sort of expect that the manufacturer has considered all of those safety features before they started thinking about performance and aesthetics. The same should apply when implementing a new IT system.\nThankfully, the message does seem to be getting through. In a recent Kordia survey of 225 IT decision makers, more than half of all respondents who were directly involved in the design process of new web-applications stated that security was usually only considered in the middle of the design process or later. However, of those, almost 90 per cent said they saw value in engaging security experts earlier in the process.\nThe security lifecycle\nWhenever you implement something new, or make a significant change, you run the risk of introducing security vulnerabilities. \u2018Secure by Design\u2019 aims to give businesses\u2019 visibility of these risks as early as possible, so they can manage them most effectively.\n\u2018Secure by Design\u2019 should start around the whiteboard at the project kick-off meeting, when you are discussing solution requirements and desired business outcomes. By doing this you can not only ensure you are making good security design decisions, but also be assured that you are building your IT in a secure way. Essentially, if you\u2019ve done it right then the security testing phase should not uncover any security show stoppers that you didn\u2019t already know about.\nIt\u2019s worth noting that being \u2018Secure by Design\u2019 isn\u2019t just a one-off.\nSecurity does not simply drop off the \u2018to-do\u2019 list as soon as a project is complete, it falls into a security lifecycle. IT systems are not static \u2013 they get designed, built, tested and deployed. They get modified and patched, and they have an operational life. All IT systems have an inherent risk that needs to be managed as part of business as usual \u2013 with monthly reporting, regular penetration testing and routine scrutiny for any changes to the risk profile. \nConsider \u2018Secure by Design\u2019 as a four-phase process. \nFirst, the \u2018Design\u2019 phase where potential security risks are identified by software and infrastructure security architects. \nThis is followed by the \u2018Build\u2019 phase, in which our consultants help you check that you are building your systems in a secure way. \nNext, the team carries out an end-to-end penetration test to ensure any remaining security flaws are remediated and you have full visibility. \nFinally, the \u2018Operate\u2019 or business as usual phase, where ongoing analysis, reporting and security optimisation occurs for the duration of the system\u2019s operating life. \nYou\u2019re only as strong as your weakest link\nIn many cases, the success of a project is judged on a range of criteria, two of which include whether it came in on budget, and whether it was delivered on time. \nFor the most part, project owners can plan ahead, troubleshoot and assign roles to ensure things stay on track. However, without addressing the need for security early in the project, businesses are missing a glaringly obvious barrier to project success. \nIf you don\u2019t have visibility of the information security risk you are introducing then you are potentially leaving your business\u2019 crown jewels on a silver platter for cybercriminals.\nRemember, it\u2019s better to discover any security vulnerabilities before the hackers do.\nTom Moore is practice manager for Aura Information Security\u2019s New Zealand and Australian operations. \nSend news tips and comments to email@example.com\nFollow CIO New Zealand on Twitter:@cio_nz\nSign up forCIO newsletters for regular updates on CIO news, views and events.