Design for Cybersecurity From the Start

Everyone understands how important security is to digital products and services. Customers expect digital offerings to be secure, especially when they’re incorporating them into their own products and services. For example, a manufacturer that includes a sensor in its product design expects the sensor it uses to be cybersecure and not introduce vulnerabilities. Any device connected to the internet can create an entry point for attacks that access the internal system, steal credentials, plant malware, or collect sensitive data. But as breach after well-publicized breach shows, our development processes to build cybersecurity into products and services continue to break down. We have not yet reached the point where security is not only expected but deeply embedded in every aspect of product development.

To build truly secure digital products and services (which we’ll refer to as either “products” or “offerings” for simplicity’s sake), cybersecurity must be baked in from the initial design stage. While this isn’t easy, doing so can keep costs in check and help organizations better meet customer expectations. However, too often security is an afterthought, addressed only after a product has already been designed.

In our research into how companies build cybersecure offerings, we found that cybersecurity is rarely considered among the criteria in the early design phase. Most designers focus on making sure their offerings are elegant, marketable, usable, and feature-rich. Security is often “bolted on” after initial designs are completed, either by security development processes running parallel to the product development process or by security experts who work as consultants to the design team.