Build Bridges for Digitalisation

From insecure code to digital product security. Build bridges for digitalisation and integrate holistic security, ensuring effective information security and privacy in your solutions.

This is perhaps the clearest sanction against systems being developed and put into operation with inadequate security. Nevertheless, this is only the latest in a series of cases in which the European supervisory authorities react to weak technical security. One example is when the Norwegian Data Protection Authority in November notified that the systems Norwegian Labour and Welfare Administration (NAV) do not satisfy GDPR’s requirements for information security. Here, the Data Protection Authority points in particular to access control, logs and control of logs. In this case, they announced a violation fine of NOK 1.7 million.

How can large and competent companies fail when it comes to basic safeguarding of information? Our experience is that many security challenges stem from the fact that the distance between decision-makers and developers is still too great. We see time and time again that management’s strategic requirements and goals, regulatory guidelines and technological development do not move in line. As a result, the responsibilities of management are eroded by their implementation in the organisation. This also compromises security.

Our experience is that companies that manage to think holistically about security and privacy are the ones that are best equipped to balance security work in line with business risk. Companies that also consider product security rather than just software security do this to an even greater extent.

Key questions to ask:

  • What data are we processing?
  • Who owns the data?
  • How do we get hold of the data?
  • When do we delete the data?
  • Where do we store the data?
  • Why do we use the data that we use?

In order to build information security and privacy into a solution, everyone involved must be able to answer these questions. If this becomes too approximate, security, privacy and, not least, goal achievement will also be the same.

An app, system or technical infrastructure rarely gets better than the quality of the requirement. To facilitate the best possible terms for privacy by design, there should be a defined process from idea to product request. If the IT department and developers are to do their tasks in a responsible manner, it is important to spend time on some key security activities already in the idea phase.

It will be easier to safeguard both information security and privacy if the business side and developers collaborate on how to realise an idea. Which requirements for services and solutions are easier to spot early in the process. The question of what you want to achieve must be shared by everyone involved.

Tips for good process tools

Guidance for effective tools in establishing the right context and answering important questions about why, how, what, who, how and when (cf. for example, the Zachman framework for enterprise architecture or the “Six Honest Serving Men”).

Such questions can be answered, for example, through the following steps:

  • Conceptual flow sketch
  • Mapping and delimitation in relation to regulations and guidelines
  • Strategic and tactical requirements analysis
    • Stakeholder analysis
    • Process Analytics
    • Information mapping

At a rapid pace, regulations, technology, business, usage patterns and threats are changing. How do you keep up? The answer is as obvious as it is complicated. It must be based on close cooperation across different roles and areas of responsibility. It cannot be left to IT and development alone.

“No man is an island,” John Donne claimed in the 1600s. That is just as right today. Management, business, IT, compliance and privacy cannot continue as isolated islands. In that case, one should invest in building digitalisation bridges immediately. To ensure good risk-based management and compliance, one must think holistically about product security.

Read more about our Cyber & Digital Risk offering here.

Marius Engh Pellerud

Director, Cyber & Digital Risk

Gøran Brevik

Director

Let's connect

Build Bridges for Digitalisation Build Bridges for Digitalisation
I want an Advisense expert to contact me about:
Build Bridges for Digitalisation

By submitting, you consent to our privacy policy

Thank you for connecting with us

An error occurred, please try again later