CISOs need to keep up with the hyper pace of security

rtx2xfts
Credit: REUTERS/Rick Wilking

Last month I attended the Consumer Electronics Show in Las Vegas and saw not only the future of virtual reality and autonomous driving, but also the advancement of payments embedded in everything from our refrigerators to the clothes that we wear.

These innovations are causing a seismic shift in how we consider information security, pushing the protection of consumer payments beyond the traditional role of finance and/or IT departments to design and manufacturing of everyday products that make up the Internet of Things (IOT).

At our annual PCI Community Meetings for the past few years, we’ve demonstrated with the help of Ken Munro and Tony Gee of Pen Test Partners, the increased integration of payments into everyday products such as kitchen appliances and other smart home devices.

As this trend continues, we can expect the role of the CISO to expand for many enterprises and create new opportunities for security leaders to advocate for better security in the design of the next generation of products. Products that may never have required logical security considerations previously will need to evaluate and address these type of exploitable risks going forward.  

So where do we start? More so than ever, a pre-production focus on security has become a necessity. And that begins with education, accountability and good product life-cycle management.

1. Training for application developers 

I’m surprised when I hear how frequently security is overlooked in application code until it is too late. This often first stems from lack of awareness by application developers on their role in the design to consider the confidentiality of customer’s information.

If programmers do not receive security training, how much more likely are they to place a design flaw into that new product or launch it without testing first? IoT, smart wearables and other new forms of payment are going to challenge us to grow the skills of our programmers to receive regular security awareness of emerging threats in order to design mitigating controls for consumer data well beyond the final sales transaction.

However, it doesn’t stop at just awareness of threats to meet a corporate audit requirement. We need to prepare for the future by training developers how to securely design, test and maintain against potential vulnerabilities.

If we are to expect customers to trust the next generation of products with software connecting their phone or other smart devices, then security training for those involved must be seen as a frequent necessity and exceed what is expected today.

2. Accountability

While training will provide the appropriate skills to protect exploits, unless there is direct accountability to adhere to security best practices, they will often slip away as fast as a New Year resolution.

This requires local advocates within engineering and other departments to assume security oversight roles and responsibilities that once may have not have existed. If current organizational structure doesn’t provide for the CISO to influence, then senior leadership should evaluate a change in governance or new roles with these assigned responsibilities.

These responsibilities start with participating in design need and pre-production conversations and continues throughout testing of code prior to release and the life cycle of the product. More companies are moving to automated testing of code, run-time security built into products and even artificial intelligence with code writing code to eliminate common errors.

3. Life-cycle management

What we have not yet seen is how will legacy IoT products be supported when they exist in the marketplace for many years after they no longer are sold in retail outlets or possibly supported by the original manufacturer. Security leaders should encourage threat modeling for their product lines that extend well into the future and how the company can manage future revisions.

There are many good resources for organizations to work with to begin a culture of managing the security life cycle of software products. NIST SP 800-64 Security Considerations in the System Development Life Cycle provides a framework as do organizations such as SAFEcode.

This is the world CISOs should expect going forward. Updates and changes that happen at a hyper pace beyond what conventional product security can protect. To mitigate, we must diversify the types of security controls with more emphasis early in the design process with support from automated and dynamic testing throughout.

I might not understand the practical use for every smart product I saw at CES but my hope is that each app has thoughtfully considered security implications for an environment that shares memory with my sensitive payment information. 

This article is published as part of the IDG Contributor Network. Want to Join?

Cybersecurity market research: Top 15 statistics for 2017