CISO Simon Legg believes businesses have got into bad habits when it comes to the way we think about security during product design. Fortunately, habits can change.
The question of trust in technology is more pressing than ever. However, software, websites and apps are still being produced which fail to provide comprehensive security. Why is this still happening?
“I believe that part of what my job is, is social responsibility” says Simon Legg, who last September took on the role of CISO at car insurer Hastings Direct. For Legg, it’s about educating people to make better security decisions. And he believes there’s one key reason that businesses and security teams are still making mistakes when it comes to security.
“I’m trying to drive us away from this culture of thinking about security in non-functional requirement terms, and always, always, always thinking about it in functional requirement terms.” For Legg, a recurring problem that businesses experience is that when building services, they divide software design into two buckets: functional and non-functional requirements.
By functional requirements, Legg is talking about all the essential things an app must do to function (i.e. when a user enters a search, specific data is returned). This is in contrast to non-functional requirements (i.e. the app also ensure that whenever a user enters a search, their data is encrypted and kept private). For Legg this is a false dichotomy, at least with regards to security.
“You create a culture of focus on one bucket versus the other, and therefore, it’s very easy to bias your efforts between the two. Typically, you prioritise the functional requirements over the non-functional requirements.” As a consequence, security is often bolted on as an afterthought.
In the worst-case scenario, “trust is broken through data leakage or misuse of data, or the fact that you pay for something and you don’t get the degrees of reliability that you’re after.” More likely though, is that the end customer buys something which isn’t fully complete and must therefore fork out for further development work to get it to where it needs to be. If only businesses thought about security as a functional requirement, many of these problems would be avoided.