New year, new habits? Why this CISO reckons you need to change your security behaviours

CISO Simon Legg believes businesses have got into bad habits when it comes to the way we think about security during product design. Fortunately, habits can change.

The question of trust in technology is more pressing than ever. However, software, websites and apps are still being produced which fail to provide comprehensive security. Why is this still happening?

“I believe that part of what my job is, is social responsibility” says Simon Legg, who last September took on the role of CISO at car insurer Hastings Direct. For Legg, it’s about educating people to make better security decisions. And he believes there’s one key reason that businesses and security teams are still making mistakes when it comes to security.

“I’m trying to drive us away from this culture of thinking about security in non-functional requirement terms, and always, always, always thinking about it in functional requirement terms.” For Legg, a recurring problem that businesses experience is that when building services, they divide software design into two buckets: functional and non-functional requirements.

By functional requirements, Legg is talking about all the essential things an app must do to function (i.e. when a user enters a search, specific data is returned). This is in contrast to non-functional requirements (i.e. the app also ensure that whenever a user enters a search, their data is encrypted and kept private). For Legg this is a false dichotomy, at least with regards to security.

“You create a culture of focus on one bucket versus the other, and therefore, it’s very easy to bias your efforts between the two. Typically, you prioritise the functional requirements over the non-functional requirements.” As a consequence, security is often bolted on as an afterthought.

In the worst-case scenario, “trust is broken through data leakage or misuse of data, or the fact that you pay for something and you don’t get the degrees of reliability that you’re after.” More likely though, is that the end customer buys something which isn’t fully complete and must therefore fork out for further development work to get it to where it needs to be. If only businesses thought about security as a functional requirement, many of these problems would be avoided.

Habits are hard to break

So how did we get to this situation? “It’s bad habit” Legg argues. “Security is always seen as an IT problem to solve”, rather than something for users or business analysts to worry about.

Another bad habit is the tendency to focus on creating a ‘Minimum Viable Product’ (MVP). Software developers are expected to “create something that’s good enough so that you can see whether or not it’s going to succeed.” That’s fine, but it means people tend to build a “minimum product and forget the viable piece, because it’s the V [in MVP] in which the non-functional requirements tend to play.”

Then there’s a people problem. Legg points out that when businesses recruit CISOs, there’s a strong tendency to emphasise technical skills, rather than hiring “someone that can help people understand risk associated with the use of the technology.” This means businesses might be employing technically gifted security leaders, yet these people continue to perpetuate bad habits since “people will always work on their areas of strength.”

What’s the solution?

In an ideal world, every piece of software that businesses developed would incorporate security from day one. Best practices would be considered, and the development team would work closely with business analysts and end users to understand the real-world security risks in using the product and minimise them from the start.

That’s a nice idea in theory, but as Legg points out, few established businesses have this luxury. “From a technology perspective, unless they’re brand new, it is like eating an elephant. There are tons of legacy systems out there. There are tons of errors that were not picked up, because maybe you had the wrong culture at some stage or the wrong bias.” All the same, this doesn’t mean businesses are incapable of changing.

“When you want to effect change, you have to make more incremental changes and you have to understand that it is a marathon not a sprint” he explains, drawing on his own recent experience of moving to a new role as a CISO in an established insurance business. “There’s no magic wand. Just accept the fact that, ‘Okay, we’ve got the message, we’ve got the mindset in the right place. Now let’s go after eating that elephant’”.

Cultural change

Legg will be describing the steps to changing these bad habits in more depth during his talk at Cloud & Cyber Security Expo. However, for him at least, cultural change is the most important part of ‘eating an elephant’.

“It is about getting people familiar with the priorities, familiar with the message, and it’s about adding in meaningful interactions. It sounds simple, but for me, it’s always making sure that the right people are talking to the right people. If you can learn the new expectation, and the new expectation of the CISO is that we build security in and we think about it from a functional versus non-functional requirements perspective.”

This can take many forms. It’s certainly invaluable to talk to technical people, but he describes ways that the business as a whole can change its security culture. He describes, for instance, how as a tenured CISO he continues to launch initiatives that educate all staff on security best practice in both their professional and personal lives.

New tricks

For Legg, this is as much about a change in mindset as anything else; it needn’t be any more expensive or time consuming to consider security when building an MVP. “If you think about security as a functional requirement, then you don’t slow things down necessarily, you just make sure that you’ve got the correct list of things right out of the gate.” And in the long run, that should make products safer, more secure and more cost effective too.