Potential Cybersecurity Concerns with Traditional System Engineering Methodologies

    Cybersecurity is a growing concern for all organizations worldwide. Every system, process, and development project must include ways to account for these concerns due to their increased growing threat. When looking at the SLDC methodologies such as agile, waterfall, spiral, or iteration these concerns become more of a business process or outcome rather than a methodology integrated within a process. “Digitization of business processes and services entails huge savings and increased efficiency. To be sustainable, this development must not at the same time introduce serious security vulnerabilities, but unfortunately, it often does.” (Josang, 2015)

     These concerns increase in the business model when you examine how they occur in the first place.  Possible causes for this are things such as lack of development skills, simple oversights in training, and lack of investment in monitoring and detection of threats. First, lack of skills in programmers can cause the entire engineering development to be completed with no adequate security controls in place to protect both the application software and the business. “Unfortunately, thousands of IT designers and experts around the world are lacking security skills precisely because cybersecurity was not part of the study program they followed at the university. The expanding ICT infrastructure worldwide is being built by IT experts with IT degrees from universities and colleges, but unfortunately many IT experts still have insufficient security understanding and expertise.” (Josang, 2015)

     Lack of training can affect system engineering methodologies immensely. This knowledge of software security in the development the process ensures the developers build and integrate core security controls into each phase. “Several different SDLC models exist, including Waterfall, Spiral, Agile, and many more. While each of these models is very different, they were all designed without software security in mind. Failing to include software security in the development lifecycle has many consequences: Releasing critical vulnerabilities to production, putting customer data at risk, Costly follow-up releases to secure the application,

Development teams believing security is someone else’s job, And the list goes on…” (SANS, 2015) All of these consequences can have a dramatic effect on the organization.

     Since most programmers lack the specific training needed to correctly identify these vulnerabilities, they typically ask security teams in the organization to tell them what is needed. “To efficiently deal with existing security measures in various development projects, the incorporation of security-minded thinking should be considered throughout the process of development. This can reduce the risk of lacking in necessary security requirements or committing critical faults in software design.” (Alenezi, Almuairfi, 2019)

      Finally, cybersecurity concerns are a continual problem that inherently causes businesses to invest in monitoring and detection capabilities to combat the growing threats caused by an increasing amount of vulnerabilities. These vulnerabilities are introduced daily and largely from the SDLC process with not sufficient security controls. “Many different approaches have been presented recently toward solving the problem of weak security through preventative and reactive measures; however, we obviously have not yet found the solution since security-related attacks continue to persist.” (Hoole, 2016)

      These approaches to security monitoring and detecting must be forefront in consideration throughout the development process. There must be continual oversight over the technology deployed into production to ensure it is not posing a risk to the business. “having a greater level of trustworthiness in a system means it is possible to put procedures in place to help individuals (i.e., human system element) respond more effectively to attacks and other disruptions, in concert with or independent of, the machine/technology system elements.” (NIST, 2016)

     To address these concerns, organizations must institute ways to proactively and reactive combat threats. This involves methods of threat detection through scanning, alerting and identification. It also entails blocking, isolating, and removing threats from their network after the development process. “The proactive and reactive strategies are combined and balanced across all assets, stakeholders, concerns, and objectives. To achieve such balance requires that security requirements elicitation and analysis be conducted to unambiguously and clearly ascertain the scope of security in terms of the assets to which security applies and the associated consequences or losses against which security is assessed.” (NIST, 2016)

     Overall, cybersecurity concerns will persist to advance throughout all SDLC engineering efforts until the organization implements ways to limit the amount of vulnerabilities present and control the effects once one is identified.  This can only occur through more through training, monitoring, and detection methods throughout the entire lifecycle. Develops and programmers must become an integral part of the security processes and needed controls so that it can be appropriately addressed prior to production environment implementation.

 

 References

 

Alenezi, Mamdouh & Almuairfi, Sadiq. (2019). Security Risks in the Software Development Lifecycle. International Journal of Recent Technology and Engineering. 8. 7048 - 7055. 10.35940/ijrte.C5374.098319.

 

Hoole, A. (2016). Security Vulnerability Verification through Contract-Based Assertion Monitoring at Runtime. UVicSpace Home. https://dspace.library.uvic.ca/bitstream/handle/1828/8952/Hoole_Alexander_PhD_2017.pdf?sequence=1&isAllowed=y

  Jøsang A., Ødegaard M., Oftedal E. (2015) Cybersecurity Through Secure Software Development. In: Bishop M., Miloslavskaya N.,         Theocharidou M. (eds) Information Security Education Across the Curriculum. WISE 2015. IFIP Advances in Information and Communication Technology, vol 453. Springer, Cham. https://doi.org/10.1007/978-3-319-18500-2_5

 

NIST. (2016, November). NIST Special Publication 800-160 VOLUME 1; Systems Security Engineering; Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. NIST Page. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v1.pdf

 

SANS. (2015, April 5). Securing the software development lifecycle. SANS Security Awareness. https://www.sans.org/security-awareness-training/blog/securing-software-development-lifecycle

 

 

PRESENTING A BREACH TO THE BOARD

    In today’s business landscape all large organizations require a briefing to occur on cyber risk to the executive board. The board is expecting to gain an understanding of the organization’s overall risk and gain insight into the recommended course of actions needed to lower the potential for harm to the business. In order to do this effectively, the senior Risk leader or information officer must be able to convey his or her thoughts in a logical sense that presents an overall organizational risk, not just the IT security risk associated with it.

    To effectively present the risk to the board, the presenter should speak without being too technical, using scare metrics, or presenting too many risks that do not correlate up to the strategic goals or outcomes of the business. “The key to having successful senior leadership or board-level presentations comes down to these simple principles:

·         Remember that when presenting to any audience it is about them, not you.

·         To be relevant to senior executives or boards, stop using technobabble that is most relevant to IT operations, but no one else.

·         Stop scaring everyone into believing the sky is falling…again.

·         Help leaders make informed risk-management decisions by ensuring they have (and understand) all the necessary information.

·         There is nothing more damaging to credibility than a lack of consistency over time.

·         While the leaders are being provided valuable insights, it does not mean a presenter cannot get something out of the meeting as well.” (Booth, 2019)

           Since presenting to the board requires effort, it is best to have IT leaders work toward communicating effectively to convey the level of risk in an understandable manner that can achieve results. This requires Information officers to be able to build relationships with the board and earn trust. To do that they must speak the same type of business risk language. “Boards, executive management, and technology leaders are struggling to connect the dots on a wide range of topics familiarly grouped under the heading of cyber. At the core of this struggle is the view that business executives and security professionals seldom speak the same language. Perhaps more importantly, they rarely approach cyber challenges in a way that integrates multiple competencies to create better business context and insight in their cyber strategies.” (Deloitte, 2019)

          This understanding between both the IT security leader and the board is essential to addressing cyber risk. To effectively align these leaders, the cyber risk management strategy must become part of the business strategy. Both must be able to work together to achieve the same goal while placing a priority on the reduction or management of the emerging cyber risk. “The team should “communicate using the same language as the business, otherwise the interpretation of risks can differ”. So think about what the board needs to know, and seek to make risk relevant to the business and stakeholders – this is the only way to ensure an enterprise-wide risk strategy.”(Rossi, 2018)

          Once the hurdle of speaking the same language is overcome, the IT leader must be able to drive business decisions while supporting choices made about managing the cyber risk. Every board must decide how to prioritize funding and not every risk will equate to a strategic ROI. “The business and technology innovations that companies are adopting in their quest for growth, competitiveness, and cost optimization are, in turn, leading to heightened levels of cyber risks. Bad actors exploit weaknesses that are byproducts of business growth and technology innovation. Such weaknesses could be related to mergers and acquisitions, new customer services, supply chain models, applications, and mobile tools designed to engage consumers, and new technologies purchased to help improve efficiency and control costs. Being too risk-averse is not an option, and cybersecurity stretches beyond internal operations.” (Deloitte, 2019)

           This understanding of why and how business innovations affect growth based on cost is paramount to organizational success. This understanding helps the IT leader prioritize the information needed for the board to maximize both party's time increasing overall value-added. “Presenting the impact of cyber risk and of possible risk mitigations in financial terms allows the board and executive management to engage, to participate in the decision-making process, and to fulfill their cyber risk governance duties.” (Sanna, na)

          Ultimately, this understanding should allow the board to build a cyber resilience strategy into their overall business strategy. “Adequate organizational resilience is about operating the business while fighting back and recovering. Maintaining this level of performance requires the ability to measure an organization’s digital resilience much the way a board oversees its financial health. For board members, no fiduciary obligation is more urgent than overseeing and, where necessary, challenging how executive leadership manages the risks to the company. “(Rothrock, 2017) If conveyed correctly, the IT leader will help to shape the board’s view of resiliency and become an integral part of the organizational strategic plan.

         Overall, presenting to an organization’s board of executive leadership about cyber risk is of critical importance to the organization. It conveys the organization’s cyber risk in a manner that aligns with the business strategic goals. This presentation empowers the decision-makers to become active in an area that previously they may not have been. By illustrating the threat, without scaring or feeding too much technical data, the board can know to make financial decisions on what is considered the most vital areas of the organization to protect. This will enable the board to continue to advance the organization into a more innovative future state with a reduced risk posture.

 

 References

Booth, S. (2019, May 6). The biggest mistakes made when presenting cybersecurity to senior leadership or the board, and how to fix them. FireEye. https://www.fireeye.com/blog/executive-perspective/2019/04/biggest-mistakes-when-presenting-cyber-security-to-board-and-how-to-fix.html

Deloitte. (2019, May 19). Communicating the value of cybersecurity to boards and leadership. Deloitte Insights. https://www2.deloitte.com/us/en/insights/industry/health-care/value-of-cybersecurity-life-sciences-health-care.html

Rossi, B. (2018, May 15). How to communicate cyber risk to the board. Information Age. https://www.information-age.com/how-communicate-cyber-risk-board-123460092/

Rothrock, R. (2017, November 16). The board’s role in managing cybersecurity risks. MIT Sloan Management Review. https://sloanreview.mit.edu/article/the-boards-role-in-managing-cybersecurity-risks/

Sanna, N. (. (n.d.). How to communicate cyber risk to the board. Quantitative Information Risk Management | The FAIR Institute. https://www.fairinstitute.org/blog/how-to-communicate-cyber-risk-to-the-board