Re-thinking security fundamentals: How to move beyond the FUD

For too long, security has been an afterthought in the product development process. The Structure Security 2016 conference, kicking off September 27 in San Francisco, aims to galvanize the movement around security thinking
Written by Tom Krazit, Contributor

Security needs to be thought of as a process, not a feature.

Around ten years ago, a new movement spread throughout computing: design thinking. It seems so obvious in hindsight, but the notion that the user experience presented by your product was something that had to be considered and prioritized at every step -- instead of layered on at the end -- was revolutionary at the time.

It's long past time for a similar type of movement: security thinking.

For far too long, security has been an afterthought in the product development process. Passwords are stored in plain text at companies with hundreds of millions of users; people have proven time and time again that they will click on a link that seems so obviously suspicious; the most common password is, well, "password"; and large companies with tons of internal and external applications focus on plugging holes in the walls while attackers parachute into their networks. These aren't technical challenges; they are cultural challenges born of the obsession to rush products to market in search of rapid growth, or to hire a passel of security consultants who recommend layers of security products that cost more every year.

Later this month, we're gathering hundreds of information security and technology leaders at Structure Security, scheduled for September 27 and 28 at the Golden Gate Club in San Francisco's Presidio district. At that unique, beautiful setting, we'll be putting our heads together in hopes of finding a way to spread the gospel that security thinking needs to be part of every decision a company makes in 2016 and beyond.

You've all seen the breaches: If the NSA can be hacked, anyone can be hacked. Sure, the NSA is a big fat target for the offensive hackers of the world. But when its own hacking tools are released on the web, suddenly lots of other people, from petty criminals to disgruntled employees, have ways to steal your company's data, money, or both.

Now that your eyes have stopped rolling and have re-focused on this page, let me acknowledge that you're right: security companies have been using fear of attacks, breaches, and flat-out disasters to sell security products and services for an awfully long time. FUD (fear, uncertainty, and doubt) is perhaps the one marketing strategy that has never gone out of style.

But as nearly everything we do goes online and becomes even more interconnected, the potential for loss grows larger and larger. Think about the future of connected homes, self-driving cars, and industrial internet applications; and those are just the problems with the internet of things. In the rush to beat everyone else who is trying to capitalize on these trends (and plenty of others), security is not nearly as fundamental to modern product development as it should be.

We're going to bring together speakers with long and distinguished careers in information security -- such as Art Coviello and Laz Lazarikos -- alongside promising security startups like Cylance and Bugcrowd and technology veterans like Diana Kelly of IBM and Bob Lord of Yahoo. Our hope is that this unique mix of influential people can help galvanize a movement around security thinking that has the same impact as design thinking had on companies like Uber, Pinterest, Airbnb, and other web giants of our time.

We'll know this has worked when startups think very hard about the security implications of the product design choices they make. We'll know this has worked when a generation of tech workers realizes that security engineering is the new path to a long and prosperous career, as the demand for skilled professionals in information security vastly outpaces supply.

Security needs to be thought of as a process, not a feature. It needs to mix data-driven decision making with human-focused experience design to make us all more secure, because urging everyone to create strong passwords, exercise link discipline, and keep out perimeter threats is not making us safer.

More information about Structure Security can be found here. ZDNet is a proud media partner of Structure Security, and Editor-In-Chief Larry Dignan will be interviewing Jay Leak, CISO of Blackstone, on the first day. Register for tickets here, and ZDNet readers can use the code "ZDNET" for a 25 percent discount off the list price.

Editorial standards