Digital Transformation
Showing results for 
Search instead for 
Did you mean: 

Why we must embrace a 'security by design' mindset


Cyber Risk.png

By Tim Grieveson, chief cyber and security strategist for enterprise security products, EMEA, Hewlett Packard Enterprise

To contend with today's threat landscape, security professionals must undergo a significant cultural and philosophical shift, as demonstrated by the findings in the HPE Cyber Risk Report 2016. For example, we need to embrace what I call "security by design," which does away with the point-fix, whack-a-mole approaches of old in favor of baking security into every facet of an organization and ecosystem.

Some good news: A growing number of security vendors are adopting this approach in the solutions they develop and bring to market. But security is about more than technology—it involves people and processes, too. We must stop thinking about security as any single, finite solution, and weave it into the fabric of every company, as it relates to employees, technology and information, physical assets, relationships with partners and vendors, and more.

Take software development: Programmers have traditionally been tasked with addressing issues of performance, speed, usability, multiplatform, and cost—security is at best an afterthought. Yet we have more tools and methodologies than ever for baking security into every step of the application lifecycle. We should be using them.

Weave security throughout your company ecosystem

Similarly, security by design should encompass all facets of your organization and ecosystem, not just your network or other technology assets. Consider the physical parameters of your buildings and people, too. The bad guys use all the methods that are at their disposal: monitoring social media accounts, observing security guards and CCTV video, keeping tabs on the comings and goings of custodial staff—anything that will help them build a complete picture of the largest possible attack surface.

If I were trying to access the CEO, I’d probably go for the executive assistant or the janitor or the marketing person or someone in HR to get to her data. Why? The access point and the ultimate target don't need to be one and the same, and the protections we put in place are rarely uniform, either. It's crucial to take a 360-degree view to protect all assets. Security must be everyone's responsibility, not just that of the CIO or CISO and their direct reports.

We recently conducted research into the top security devices in the market, things like door-entry systems, closed-circuit cameras, and so forth. We found vulnerabilities in all of them, whether it be poor authentication, poor password requirements, or unencrypted data stored in the cloud. The results shocked me.

Security by design requires an evolutionary change in our mindsets and approaches. We need to get smarter. We need to be better ourselves, and we need to insist on security being part of the ecosystem—an expectation rather than something we tack on later and say, "Lock that down, make it secure."

Security should be a priority that enables the business—not an afterthought that slows it down. Otherwise, the bad guys will continue to win.

Tim Grieveson is chief cyber and security strategist for enterprise security products, EMEA, Hewlett Packard Enterprise. Read “6 steps CIOs and CISOs must take to manage cyber risks” for more of his strategic security recommendations.

0 Kudos
About the Author


Jan 30-31, 2018
Expert Days - 2018
Visit this forum and get the schedules for online HPE Expert Days where you can talk to HPE product experts, R&D and support team members and get answ...
Read more
See posts for dates
HPE Webinars - 2018
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all