Companies are welcoming security into broader business strategies, rearticulating when security enters the product development roadmap.
"Everybody's juggling for time to build the features; last minute feature requests, last minute integration issues. You don't want the security features coming in and trying to basically squeeze them into the release at the last minute," said Roman Shapiro, director of information security at Nasdaq, during the virtual Cybersecurity Summit by the National Cyber Security Alliance and Nasdaq.
"At that point, everybody's stressed, everybody needs the product to go live," Shapiro said.
Beyond satisfying internal teams, it's the consumer who really gets the last word. High profile breaches and security incidents amplified consumer expectations for privacy and security. But consumers don't want to give up functionality or experience in the name of security.
"I think that a lot of features in security also provide usability to users," said Shapiro. Consumers benefit from the early integration of security because "you don't have a separation between a login feature and the product behind the login, they seem like they were always together," for example.
Include consumers on MFA
Brian Vecci, field CTO of Varonis, had an experience on a consumer-facing website that recently enabled multifactor authentication (MFA). "They were bolting on security on top of the functionality that they already had," he said during the panel. The function, an afterthought, requires users to re-login as they "traversed around the website."
"It was a dramatically poor implementation. It was basically an illustration that there was no security or privacy by design from the beginning," said Vecci.
Products that don't properly account for users using password managers, "drives me nuts," said Vecci. When a website or tool works with password managers, it's an indication that security was baked into development.
Ease of secure access is just one component. Applications across domains — mobile, web and cloud — collect data. Any legal responsibilities, like GDPR or CCPA, dictates data use in products. "Encryption is paramount these days. The cost of encrypting your data in transit, at rest is so minimal," said Shapiro. "The old argument about making the site slower … it doesn't fly anymore, because the technology has gotten so much better."
Adding encryption during product development takes "a marginal amount of processing" for data encryption, said Shapiro. And the added bonus is, users feel more confident and trust the experience. "Be upfront and tell them that your data is safe with us, 'We're encrypting using TLS 1.2. in transit.'"
More than a statement
When GDPR approached, companies fell behind in compliance, with many rushing to publish updated policies with little backend security there to support the claims.
Vecci performed a risk assessment where he was told the organization didn't allow consumer PII on cloud data stores, as it's stated in internal policy.
"We did a risk assessment and found a spreadsheet with 150,000 credit card numbers tied back to identities completely unencrypted sitting on somebody's OneDrive," he said. That's the nature of data, it accumulates in areas that are unaccounted for.
Without security controls that "verify that your privacy policies are being adhered to," companies' privacy standards fall short, said Vecci.
Consumers expect more from businesses as breach fatigue worsens. "Are people waiting for the friction that comes with MFA? Absolutely. Is that materially different than it was a couple of years ago? Absolutely," said Steve Clark, managing director and business unit information security officer at Bank of America, while speaking on the panel.
The change in consumer expectations has created, in a sense, a joint security effort. Part of what today's product developers and security professionals have to do is "draw the user into taking ownership of part of the problem," said Clark.
For different products, shared responsibility varies. "I think that the user will understand the nuances of cryptography and hash algorithms and such. I think we should always make that available to those that choose to, but we have to translate it into such a way that it's consumable and applicable to the pieces they understand," said Clark.
Each component becomes a little more understood through an iterative feedback loop. "You can take the feedback from the users and put it in a week later or two weeks later. Your site is basically a living organism when you're doing continuous development," which security is part of, said Shapiro.
If users feel the "friction" of MFA, designers can reevaluate its implementation, said Shapiro. MFA could be optional or maybe there's an entirely new alternative.
However, even with the freedom of manipulation and iterations, not all security decisions should be questioned. If a user goes to a banking site without MFA, "you start questioning that banking site, because a dozen a dozen others all already do that," said Shapiro.