As cybersecurity professionals seek to bolster security culture across the enterprise, the concept of security by design has grown in prominence.
It has several interpretations: baking security fundamentals into development requirements, building less obtrusive security features for the convenience of customers, improving usability of security tools within IT organizations, or all of the above. But security by design stands at the forefront of security's role in digital transformation.
To kick off Cybersecurity Awareness Month, the National Cyber Security Alliance yesterday held a virtual 2020 Cybersecurity Summit that featured luminaries from a number of organizations, including NIST, Bank of America, and Nasdaq. The big theme of the day was how security by design can aid in rolling out more usable security—for customers, internal users, technologists, and security personnel.
Here's what the speakers there shared on how companies today are working on security by design:
Building Usable Software Securely
One of the highlights of the summit was a session led by Hari Gopalkrishnan, the client-facing platforms technology executive for Bank of America, who discussed the development of the firm's virtual financial assistant, Erica. An AI-driven platform, Erica was developed from the outset with security by design principals as a core part of success requirements.
"One of the key tenets before we got to anything functional was the fact that it had to be secure by design because to us security and privacy are table stakes," Gopalkrishnan explained.
An obvious part of that was baking security into the design lifecycle, ensuring that data flows are secure, authentication is appropriate, and so on. Additionally, AppSec best practices like code scanning and security testing of deployed software continue to remain top of mind. Other less obvious parts of the security by design ethos that has driven Erica's development also included examining AI modeling for potential bias, as well as building robust options for customers to opt in or out of privacy-impacting choices around things like geolocation and data use.
This is huge in an era of using digital information for personalization and tailored services.
Read the rest of this article on Dark Reading.