Build Bridges for Digitalisation
From insecure code to digital product security.
In order to safeguard companies’ information, we security professionals tend to point to risk assessments, management support, documentation and training of personnel. This is important enough. However, there is no doubt that businesses now must merge security into technical solutions in a different way than before. Security must be ensured throughout the digitisation process, from idea to code. Building bridges for digitalisation is essential to integrate security across the business and IT realms.
In mid-January, the Danish Data Protection Authority announced that it was recommending its strongest reaction. One of Denmark’s digital mailboxes failed at the starting point, giving users access to other users’ personal data. Consequently, the largest violation fee imposed by the Danish Data Protection Authority does not stem from the processing of personal data with a lack of a basis for processing or a weakly defined purpose. The violation consists of privacy and information security not being prioritised in the work on developing and testing the solution. The Danish Data Protection Authority believes this warrants a sanction of DKK 15 million.
This is perhaps the clearest sanction against systems being developed and put into operation with inadequate security. Nevertheless, this is only the latest in a series of cases in which the European supervisory authorities react to weak technical security. One example is when the Norwegian Data Protection Authority in November notified that the systems Norwegian Labour and Welfare Administration (NAV) do not satisfy GDPR’s requirements for information security. Here, the Data Protection Authority points in particular to access control, logs and control of logs. In this case, they announced a violation fine of NOK 1.7 million.
How can large and competent companies fail when it comes to basic safeguarding of information? Our experience is that many security challenges stem from the fact that the distance between decision-makers and developers is still too great. We see time and time again that management’s strategic requirements and goals, regulatory guidelines and technological development do not move in line. As a result, the responsibilities of management are eroded by their implementation in the organisation. This also compromises security.
Our experience is that companies that manage to think holistically about security and privacy are the ones that are best equipped to balance security work in line with business risk. Companies that also consider product security rather than just software security do this to an even greater extent.
Key questions to ask:
- What data are we processing?
- Who owns the data?
- How do we get hold of the data?
- When do we delete the data?
- Where do we store the data?
- Why do we use the data that we use?
In order to build information security and privacy into a solution, everyone involved must be able to answer these questions. If this becomes too approximate, security, privacy and, not least, goal achievement will also be the same.
An app, system or technical infrastructure rarely gets better than the quality of the requirement. To facilitate the best possible terms for privacy by design, there should be a defined process from idea to product request. If the IT department and developers are to do their tasks in a responsible manner, it is important to spend time on some key security activities already in the idea phase.
It will be easier to safeguard both information security and privacy if the business side and developers collaborate on how to realise an idea. Which requirements for services and solutions are easier to spot early in the process. The question of what you want to achieve must be shared by everyone involved.
Tips for good process tools
Guidance for effective tools in establishing the right context and answering important questions about why, how, what, who, how and when (cf. for example, the Zachman framework for enterprise architecture or the “Six Honest Serving Men”).
Such questions can be answered, for example, through the following steps:
- Conceptual flow sketch
- Mapping and delimitation in relation to regulations and guidelines
- Strategic and tactical requirements analysis
- Stakeholder analysis
- Process Analytics
- Information mapping
At a rapid pace, regulations, technology, business, usage patterns and threats are changing. How do you keep up? The answer is as obvious as it is complicated. It must be based on close cooperation across different roles and areas of responsibility. It cannot be left to IT and development alone.
“No man is an island,” John Donne claimed in the 1600s. That is just as right today. Management, business, IT, compliance and privacy cannot continue as isolated islands. In that case, one should invest in building digitalisation bridges immediately. To ensure good risk-based management and compliance, one must think holistically about product security.
