How to achieve ‘Secure by Design’

Cybersecurity is an interesting beast. It is a relatively young discipline, which tends to get caught between its two older and more mature siblings, Security and Engineering. Cyber professionals tend to fall in one camp or the other when it comes to engineering security into the design of a system. Either they’re too preoccupied with standards, compliance, and over-engineered technical solutions. Or they fall into the other camp, where they’re too focused on external factors, such as threat intelligence or the latest known exploits.

The issue with the technical mindset is that, unlike with safety engineering, security engineering can’t assume that people behave the way they’re expected to. So, even if the system is technically engineered to perfection, the whole thing falls down as soon as you add people to the mix. Blindly implementing best-practice controls, achieving accreditation, and having all the latest gadgets will not necessarily achieve the desired risk levels.

The security intelligence mindset brings about a different issue. The modern threat landscape is in a state of perpetual disruption – we have no idea what threats are going to look like in the next year, let alone over the life of a system. Threat models and threat intelligence are great, but at the end of the day it doesn’t actually give any useful information when it comes to designing a system security architecture.

The key is to find a balance between these two mindsets and achieve both technology and threat agnostic security. This can be done by focusing on the system’s inherent vulnerabilities and, taking an impact-focused approach, building in mitigations to lower the risk exposure to the desired level. Naturally, risk exists wherever humans are involved and fail-secure solutions need to be considered. Technology should never be included in a design simply to meet compliance expectations as this will only make the final solution more complex than it needs to be, which in turn raises the risk profile. Additionally, threat assessments should not be used as a key input into the design as threats and attack methods evolve far too quickly to be reliable – these tools are much more useful for operational security.

Drawing up a system scope and taking an inward vulnerability focus is the only way to secure a system by design. This ensures the most critical security consequences of system failure are covered, regardless of what happens outside the system boundary.