“Cyber is a boardroom issue!”

Security and compliance functions are merging: Here’s what that means for cloud-focused developers

Chris Davis
data security
© Shutterstock / deepadesigns

Data breach headlines over the last 12 months hammer the point home that companies can no longer afford to treat data protection as an external add-on to their business. In this article, Chris Davis explores three key trends that frame how developers can help achieve new data protection objectives.

Cyber is a boardroom issue!” might be one of the biggest data security clichés, but data breach headlines over the last 12 months hammer the point home that companies can no longer afford to treat data protection as an external add-on to their business. While the prospect of lawsuits and mammoth fines puts a harsh spotlight on boards and C-Suites, the reality is that existential risk debates always go straight to the top and cyber risk is no different. The bigger question is “How are companies reflecting cyber risk readiness throughout their IT and business operations roles?” because the other 95 percent or so of organizations are the people building the apps or re-tooling the sales and support functions that house and use data in the first place, respectively.

Developers, business analysts, and architects may not answer to boards or have to be “the decider” on every risk question, but they do have enormous shared stakes in how companies move forward in the current cyber risk environment. These professionals’ hours and deliverables can either foster the improved visibility and control of data companies’ need– or not.

For years, organizations enlisted developers, service providers, and partners to reshape their IT and operations in the era of mobility, cloud and distributed workforces. Budgets and priorities focused on building apps, integrations and business use cases. Meanwhile, on the security front, companies saw their traditional layered security controls as a sufficient safety net theoretically mitigating the risk of theft or egregious abuse. Stacks of firewall, intrusion prevention, and encryption products across offices lent a comforting feel, but time shows us they struggle to protect data in hybrid cloud ecosystems from being manipulated, shared and multiplexed across corporate and external data centers. While acrobatic developers and data kept innovating, the data protection “safety net” beneath them falls further and further away and can no longer stretch to all corners.

With less confidence in old safety nets, developers must help achieve new data protection objectives framed by three key trends.

Facebook and Cambridge Analytica made “API” a household word

Last year was striking for the public education Facebook’s privacy problems gave the mainstream public on the power of APIs, and how much easier they are to create and use, versus monitor and enforce. Policymakers, journalists and consumers are used to wondering if criminals are going to break-in and steal their data from Company-X, but what if Company-X does something equally unsettling on its own? If Company-X offers access to Company-Y, does Company-X even have the ability to keep Company-Y from looting data outside the scope of the agreement?

APIs and interchanges far outnumber spies and criminals in corporate networks. Many of the former are benign and well-behaving, but after 2018 it is up to developers to do their part in recognizing how much their architecture and expertise is necessary to securing this risk surface. 

Put a number on it: Laws are crystallizing breach costs, affecting everyone’s budget

One of the biggest cyber risk management challenges in business is identifying the tangible cost of breaches and non-compliance. Unlike the toll of physical crises over decades, like product recalls, factory fires or sunken cargo ships, there is comparatively scarce normalized information on what data breaches “cost,” let alone when you try to compare recovery from a retailer’s credit card breach, for example, to a dating site spilling users’ logins and passwords.

Enter Europe’s General Data Protection Regulation (GDPR) into the equation. This May will mark a year under GDPR and the specific, per-instance fines/threatened actions under the law are serving up hard numbers companies must navigate around. Free markets and regulations both play a role in setting the forces and counterweights behind pricing and costs. GDPR is a big measure for sure but also represents just one region of the globe. No one should expect developers to become GDPR or cross-border trade scholars, but those of us building code and cloud systems need to anticipate the new cost and risk variables these regulations introduce and understand how our apps can trigger them.

“Privacy” is becoming a customer taste and preferences issue

Developers need a mission – “What business need are we building [X] to solve?” One of the best examples of this are decision support systems and dashboards managers use to control inventory, monitor orders and spot ways to bring greater efficiency, customer loyalty or seasonal profitability out of existing activities and business data.

Developers should expect to build and update business IT systems that are better able to log customers’ privacy preferences and help managers create or terminate data-sharing practices on the fly if, in the CEO and COO’s judgment, gathering or using less data is better for the company than the alternative. For example – consider the case of cellular carriers who offered mechanisms to sell subscribers’ location data to third-parties, as part of their business model. When news of this industry practice became public and stirred an outcry, carriers like AT&T consciously announced they would end the practice.

Starting or stopping data practices like this is never as easy as flipping a switch. In the hybrid cloud era every process is fluid and interwoven with others, meaning it is up to developers working in this highly integrated environment to do their best in helping ensure management will not have to bring a company’s technology – its nervous system – to its knees, in the process of starting or stopping an offering.

SEE ALSO:  Want to improve your data security? Be GDPR compliant

Cloud-first can sustain security, not break it

Developers should not view the above as a long list of technically constraining demands. In fact, it is arguably time for developers and cloud architects to start these data protection conversations with security teams, CIOs and others to give everyone a level-set on the fabric of the company’s development roadmap and ecosystem. If developers are pressured to have cutting-edge cloud-native deliverables “play nice” with the home office’s old firewalls, we have an even greater problem. Instead, developers should feel empowered to clear the whiteboard and explore how their apps and the cloud itself can host features and abilities to provide better cloud-native visibility and control over what is happening with users and data.

Developers, security pros and executives all intuitively know that whether we’re talking profitability or liability, “it’s all about the data.” As jarring as recent headlines are, greater awareness of security and privacy’s intertwined dependencies can foster a lot of helpfully provocative and strategic conversations and collaboration between those who protect the data crown jewels and those who sharpen them.

data protection

Chris Davis

Chris Davis, CISA, CISSP, C|CISO, is an author, speaker, and industry contributor, driving product strategy for Caveonix. He has trained and presented in information security and certification curriculum for enterprise and governments worldwide and has three patent submissions.

As an author, Chris has written and contributed on topics covering information security, forensics, and auditing.  Two books that he commissioned, Hacking Exposed: Computer Forensics and IT Auditing: Using Controls to Protect Information Assets, became core curriculum components for many universities.

Chris has held positions at Oracle, Amazon, VMware, VCE, Critical Start, Accudata Systems, ForeScout Technologies, and Texas Instruments and holds a bachelor’s degree in Nuclear Engineering Technologies from Thomas Edison and a Master’s in Business from the University of Texas at Austin, where he specialized in Information Security.

Inline Feedbacks
View all comments