Is your product or service secure? Whose responsibility is it?
I have over a decade of experience in software engineering. At the beginning of my career, I was a software developer, and now I’m a Head of Technology at Untitled Kingdom, a product & software company. Apart from other activities, I have a mission to evangelize and pay attention to the relevance of security and its business aspects.
I’ll share with you my knowledge and experience in a series of articles regarding this important matter.
What is security? What makes you think that your product or service is secure?
Let’s start with a couple of simple questions I would like you to ask yourselves in your heads:
- Do you think the products or services you provide and create are secure right now?
- What makes you think they are secure?
- You might think they are or are not, but what is your answer based on?
- What kind of information or processes do you have in place to answer in all honesty?
- Do you have a holistic vision of the whole system or just its parts in isolation?
Why am I asking? We are living in times when there are a lot of startups trying to create something revolutionary, pioneer, in one of the upcoming tech areas, be the first one to offer something new, be ahead of the competition. That’s understandable, but unfortunately often leads to forgetting or at least postponing any efforts to make sure our users and our business are secure.
The problem is sometimes it might be too late for that. The best case scenario is that we might lose users trust, and that is very difficult to regain. The worst case? In production? You can imagine, implications might be catastrophic for the business. Also, making sure to meet all the necessary regulations for a given market is another thing to remember. GDPR for example. All in all millions in fines or lawsuits…
Security itself is a vast topic, trying to cover everything in one article is impossible. That’s why I’ve prepared a series of blog posts where I would like to focus on why should we care about it and show you real-world examples how simple mistakes can lead to considerable problems to raise your awareness and try to show you what might be the first steps and who should be responsible for it in your organization.
What is security?
What exactly I mean by the word ‘security’?
The most straightforward definition is that ‘Security is all about achieving a particular goal when there is an adversary present’.
So think of it as a bad guy trying to do something wrong with your system, app or data. It might be, i.e. shutting the entire system down, stealing and sharing users private data or your business data, trying to use/steal your technology to build a competitor product.
So again secure systems are the ones that can do something when whatever a bad guy is trying to do with it. That is why we need to apply some countermeasures and mitigations against hackers or anyone trying to compromise whatever we have achieved.
Of course, I am not asking anyone to know everything about the security and try to do everything on your own. That would be impossible, and almost certainly there is not a single 100% secure system on the planet — it just might be a matter of millions of years to hack it ;). It’s a constant fight between us creators and the bad guys. It’s about being aware of all the risks and costs that come with them to minimize the chances for something to go wrong, to something awful hits the fan.
Small problems are way easier to fix. Also, earlier you want to change or improve something the easier and cheaper it is. As Brian Tracy puts it: ‘Every minute you spend in planning saves 10 minutes in execution; this gives you a 1000% Return on Energy!’.
Some aspects we should be able to handle ourselves and some it’s definitely better to outsource to security experts if we decide that it’s something we should take care of or at least test properly before releasing to the public.
Who is responsible for security in your company?
So who is responsible for security matter in your business you may ask?
Naturally, you could think that because developers and engineers are the ones to design, create and maintain the system, they should be the ones to raise awareness and take care of all the security aspects. Well, that is true — partially. They are the ones to apply some countermeasures in code, no doubt about that.
However, in every company and business, there should be someone who’s the driving force for the technological part of the company. The one to keep the business ahead of the latest cybersecurity and tech trends. I guess you can ask if that also falls to the CTO responsibilities, to both manage and overcome the connected threats as well. Well indeed, CTOs are fundamentally not doing their job if they don’t achieve this!
Summary
How to start dealing with security in your company? Firstly, try to think about it and honestly answer those questions:
- Do you think the products or services you provide and create are secure right now?
- What makes you think they are secure?
- You might think they are or are not, but what is your answer based on?
- What kind of information or processes do you have in place to answer in all honesty?
- Do you have a holistic vision of the whole system or just its parts in isolation?
In my next articles I’ll tell you:
- How to take care of security during software development.
- What are SSDLC and risk assessment? How to implement them?
- Security issues in software development with examples. Policy, threat model, mechanisms.
____________
If you share my ideas or have a question about security, please leave a comment.
If you have a project to discuss, find out what I can do for you as a CTO.
____________
Here you can find my articles regarding code quality and building software development teams