The Key to Continuous Security Improvement? A Rugged Culture of Information Security

Editor's Note: Take a look at our featured best practice, Digital Transformation Strategy (145-slide PowerPoint presentation). Digital Transformation is being embraced by organizations across most industries, as the role of technology shifts from being a business enabler to a business driver. This has only been accelerated by the COVID-19 global pandemic. Thus, to remain competitive and outcompete in today's fast paced, [read more]

Also, if you are interested in becoming an expert on Digital Transformation, take a look at Flevy's Digital Transformation Frameworks offering here. This is a curated collection of best practice frameworks based on the thought leadership of leading consulting firms, academics, and recognized subject matter experts. By learning and applying these concepts, you can you stay ahead of the curve. Full details here.

* * * *

In the age of rapid technological progress, where Digital Transformation has become pervasive, business applications are getting increasingly complex and interconnected.  The advancement in technology has also helped attackers get more aggressive and inflict more damage to IT systems and applications.  Application security tools and techniques are evolving too, yet most organizations still fall prey to vulnerabilities.  Cybersecurity has become a bigger threat than ever before.

The current application security methodologies mainly count on detecting weaknesses and correcting them.  Most organizations, primarily, rely on utilizing penetration testing or automated tools, at the most.  They ignore to concentrate on establishing strong defenses against threats, merely do patch work, and leave the weaknesses unguarded.  A small fraction implement threat modeling, security architecture, secure coding techniques, and security testing—but even they are typically unsure of how these approaches link with their strategic business objectives.

A few weaknesses constitute majority of break-ins–e.g., SQL injections and buffer overflows.  Major security threats and application vulnerabilities include compromised credentials, failure to patch promptly, SQL injections, and cross-site scripting.  A large number of security threats can be neutralized just by taking care of security hygiene.

Secure Software Development

State-of-the-art technology and best practices available today offer effective yet economical methods to prevent security breaches and threats.  These tools and practices work well without affecting the pace of delivery or straining the users unnecessarily.

Secure software development not only warrants analyzing the technology but also looking at the entire organization that creates the software—people, processes, tools, and culture.  Secure software development culture inspires security by promoting and improving communication, collaboration, and competition on security topics and rapidly evolving the competence to create available, survivable, defensible, secure, and resilient software.

Rugged Software and a Culture of Security

Rugged software, or Rugged DevOps, promotes developing secure and resilient software by embedding this practice into the culture of an organization.  A Rugged culture of security is more than just secure—secure is a state of affairs at a specific time whereas Rugged means staying ahead of threats over time.  The rugged code aligns with the organizational objectives and can cope with any challenges.  Rugged enterprises constantly tweak their code and their internal organization—including governance, architecture, infrastructure, and operations—to stay ahead of attacks.  All applications developed by “Rugged” organizations are well-secured against threats, are able to self-evaluate and distinguish ongoing attacks, report security statuses, and take action aptly.

Rugged software is a consequence of the efforts to rationalize and fortify security.  This is achieved by communicating the lessons learnt from experimentation, setting up stringent lines of defense, and adopting and sharing rigid safety procedures across the board.  Adopting Rugged software development practices across the enterprise help execute more applications promptly, improve security, and achieve cost savings across the software development life-cycle.  Rugged software development is cost efficient because of fewer labor and time requisites during the requirements, design, execution, testing, iteration, and training phases of the development life-cycle.

The following 10 guiding principles apply to all organizations aiming to develop a Rugged culture of security:

1. Perpetual Attacks Anticipation
2. Staying Informed
3. Security Hygiene
4. Continuous Improvement
5. Zero-defect Approach
6. Reusable Tools
7. One Team
8. Comprehensive Testing
9. Threat Modeling
10. Peer Reviews

Let’s discuss the first 5 principles for now.

Perpetual Attacks Anticipation

A Rugged software development organization anticipates nonstop vulnerabilities and attacks—deliberate or accidental.

Staying Informed

Rugged organizations appreciate staying informed about security issues and potential threats, seek recommendations from security specialists, and identify and update security policies and rules.

Security Hygiene

Rugged organizations take good care of their security hygiene by limiting the sharing of user accounts, carefully guarding the passwords and sensitive personal information.  They employ secure software practices.

Continuous Improvement

Continuous Improvement is the management principle foundational to Lean Management that should be embraced by all areas of an organization.  In case sensitive information is left lying on somebody’s desk at night, Rugged organizations ensure that this does not recur in future and gather feedback from the people who happen to notice it.

Zero-defect Approach

Rugged organizations leave no room to tolerate any known weaknesses.  An issue is resolved as soon as it is detected.

Interested in learning more about the guiding principles to develop a Rugged culture of security?  You can download an editable PowerPoint on the Culture of Security here on the Flevy documents marketplace.

Do You Find Value in This Framework?

You can download in-depth presentations on this and hundreds of similar business frameworks from the FlevyPro Library. FlevyPro is trusted and utilized by 1000s of management consultants and corporate executives. Here’s what some have to say:

“My FlevyPro subscription provides me with the most popular frameworks and decks in demand in today’s market. They not only augment my existing consulting and coaching offerings and delivery, but also keep me abreast of the latest trends, inspire new products and service offerings for my practice, and educate me in a fraction of the time and money of other solutions. I strongly recommend FlevyPro to any consultant serious about success.”

– Bill Branson, Founder at Strategic Business Architects

“As a niche strategic consulting firm, Flevy and FlevyPro frameworks and documents are an on-going reference to help us structure our findings and recommendations to our clients as well as improve their clarity, strength, and visual power. For us, it is an invaluable resource to increase our impact and value.”

– David Coloma, Consulting Area Manager at Cynertia Consulting

“As a small business owner, the resource material available from FlevyPro has proven to be invaluable. The ability to search for material on demand based our project events and client requirements was great for me and proved very beneficial to my clients. Importantly, being able to easily edit and tailor the material for specific purposes helped us to make presentations, knowledge sharing, and toolkit development, which formed part of the overall program collateral. While FlevyPro contains resource material that any consultancy, project or delivery firm must have, it is an essential part of a small firm or independent consultant’s toolbox.”

– Michael Duff, Managing Director at Change Strategy (UK)

“FlevyPro has been a brilliant resource for me, as an independent growth consultant, to access a vast knowledge bank of presentations to support my work with clients. In terms of RoI, the value I received from the very first presentation I downloaded paid for my subscription many times over! The quality of the decks available allows me to punch way above my weight – it’s like having the resources of a Big 4 consultancy at your fingertips at a microscopic fraction of the overhead.”

– Roderick Cameron, Founding Partner at SGFE Ltd

“Several times a month, I browse FlevyPro for presentations relevant to the job challenge I have (I am a consultant). When the subject requires it, I explore further and buy from the Flevy Marketplace. On all occasions, I read them, analyze them. I take the most relevant and applicable ideas for my work; and, of course, all this translates to my and my clients’ benefits.”

– Omar Hernán Montes Parra, CEO at Quantum SFE

Want to Achieve Excellence in Digital Transformation?

Gain the knowledge and develop the expertise to become an expert in Digital Transformation. Our frameworks are based on the thought leadership of leading consulting firms, academics, and recognized subject matter experts. Click here for full details.

Digital Transformation is being embraced by organizations of all sizes across most industries. In the Digital Age today, technology creates new opportunities and fundamentally transforms businesses in all aspects—operations, business models, strategies. It not only enables the business, but also drives its growth and can be a source of Competitive Advantage.

For many industries, COVID-19 has accelerated the timeline for Digital Transformation Programs by multiple years. Digital Transformation has become a necessity. Now, to survive in the Low Touch Economy—characterized by social distancing and a minimization of in-person activities—organizations must go digital. This includes offering digital solutions for both employees (e.g. Remote Work, Virtual Teams, Enterprise Cloud, etc.) and customers (e.g. E-commerce, Social Media, Mobile Apps, etc.).

Learn about our Digital Transformation Best Practice Frameworks here.