No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Cybersecurity Protocols Are Squeezing Developers, Who Are Already in Short Supply

Much of the Pressure Created By Cybersecurity Regulations Is Falling on a Weak Spot in the Tech Industry

by Trevor Morgan
August 10, 2021
in Cybersecurity
A stick figure holds up a ceiling which appears to be collapsing.

Data security principles codified in cybersecurity protocols like GDPR, CCPA, PCI DSS and others are raising protection standards. They also spell more work for software developers. Managers, meanwhile, must decide whether to prioritize security in an unstable economy.

With the recent shift to cloud-native architectures, we are seeing the responsibility of cybersecurity falling more and more on the shoulders of developers. The so-called “shift left” in the continuous integration / continuous development (CI/CD) pipeline, with software development (Dev) on the left and IT operations (Ops) to the right (or downstream of development), has put pressure on developers to deliver secure code at an expedited pace.

This repositioning of security earlier in the development lifecycle highlights the importance of creating secure code as the foundation for any digital estate, with cybersecurity embraced within the very culture of the company before the first transaction takes place. Unfortunately, in the vast majority of cases, developers are measured on rapid delivery of business value through functioning value-added code, not necessarily on the security of their work. Time to market is paramount, and security is treated as an inconvenience and sometimes an outright obstacle to a speedy delivery of software.

In regulatory frameworks like CCPA, GDPR and PCI DSS, while basic compliance might be achievable with perimeter-focused controls, the scope (and cost) of audit can magnify across an entire cloud-native ecosystem. Without data-centric security measures, data can be apprehended when it transitions beyond perimeter environments into more diffused cloud-based data ecosystems.

The very notion of data-centric security is rooted in the idea that the data itself is the focus of protection, either by secure design, pseudonymization techniques such as tokenization or even format-preserving encryption. Code that has been designed with security in mind should be the primary weapon in your arsenal – code that takes into account how data processed by the application can be processed and worked securely. This means it is even more crucial to ensure that data is secured appropriately from the very beginning of the architectural and development processes.

Admittedly, the many data security regulations across one or more legal jurisdictions can often be confusing. At the end of the day, “security by design” often means that developers are left to deliver secure systems under extreme pressure and limited time instead of having the latitude and resources to weave security into the product throughout the development process.

This situation raises the question: why should application developers be held responsible for securing the data processed by their clients? After all, developers are hired to provide business value and customer experience optimization and should be treated (and measured) as such. While developers are expected to create secure application architectures, the buck does not — and should not — stop with them.

Cultivating a Culture of Data-Centric Security

We should acknowledge a significant cultural barrier to achieving cybersecurity from a developmental standpoint. Putting too much pressure on developers to deliver code rapidly means corners will be cut somewhere at some point. Therefore, business leaders must instill within their employees a passion for data-security-minded software development (and even incentivize it). They need to cultivate a culture of security by design and not compliance after the fact by ticking boxes on a feature-by-feature basis.

Data privacy regulations like CCPA and GDPR promote the notion of “secure by design” and “privacy by design” principles, while additional regulations such as the PCI DSS that apply to financial institutions encourage similar “north star” security principles. In the U.K., for example, GDPR requires organizations to put in place appropriate technical and organizational measures to implement data protection principles effectively and safeguard individual rights. This is “data protection by design and by default.” PCI DSS stipulates that enterprises processing cardholder information “must address common coding vulnerabilities in software development by training developers at least annually in up-to-date, secure coding techniques, including how to avoid common coding vulnerabilities and develop applications based on secure coding guidelines.”

No matter what an organization’s financial outlook happens to be, a single breach can bring it all tumbling down. All the transformational ideas, innovation and precise execution can be rendered pointless in the event of a widespread data breach, because critical intellectual property can be exposed. On top of that, loss of customer trust following a data breach means that consumers will hesitate to adopt product or service offerings moving forward, quickly turning to other solutions and negatively affecting your bottom line. A single event can turn a prospering company into a struggling one, literally overnight.

Data breaches have consequences far beyond loss of client trust. Any data security incident may prove to be catastrophic or even an existential crisis for the organization, exacting an especially heavy toll on the C-suite. Data security thus needs to be woven into the DevOps fabric and process, in the CI/CD pipeline – and by default, not as an exception, nor bolted on after it’s entirely too late. And this culture starts with the C-suite and executive management.

On one hand, the forthcoming generation of early-career software developers brings highly sought-after skills in cloud application development, either from experience in dynamic cloud-first startups or due to more sophisticated professional training. And they are native users of technology from their earliest years!

On the other hand, these developers often rely on cloud platforms for security without grasping a deeper awareness of their limitations and resilience capabilities when under attack, which can lead to significant and damaging data breaches. Again, a culture of data security and data privacy has a positive effect on these professionals, reinforcing the moral and ethical reasons for that culture, not just the cynical business value of it all.

Developing an Alternative Solution

Over the last decade, seasoned developers and engineering managers, especially those who have lived through painful data breach incidents and bought into evolved OWASP principles and MITRE ATT&CK situational awareness, have begun weaving security and risk mitigation into software development life cycles and operational processes. Highly experienced enterprise security architects with responsibility to bring state-of-the-art solutions to market within new data engineering strategies must also be familiar with powerful data protection techniques such as tokenization, format-preserving encryption and zero trust architectures. These techniques complement each other within an overarching data-centric strategy. This means not simply securing the perimeter around the locations where any data resides, but securing the data itself in a way that renders personally identifiable information (PII) meaningless but still workable in its original format by the application under development. This approach allows information to be used for business-critical activities such as data analytics while still maintaining regulatory compliance guided by a culture of security and privacy.

Meanwhile, DevOps cannot simply add data security to an operational model when it comes to persistent data protection, particularly for data traversing microservices and containers and into entirely different data ecosystems and distributed enterprise data architectures. So far, most dev-centric security practices relate to classic coding practices, vulnerability scanning and perimeter-centric controls, user access control and container integrity. These are themselves critically important, but they are incomplete from a data exposure perspective, particularly in light of compliance and the risk of data incidents or breaches. A missing key ingredient at the heart of data privacy and security compliance and risk reduction in these environments is having data-centric security built into data processing at its heart – the data itself.

As the IT security skills gap widens, finding developers with this deeper level of intrinsic knowledge and experience is becoming increasingly difficult. According to the recent ISC2 report, with COVID-19 and the resultant changes in hiring as well as the continued focus on digital transformation, the cybersecurity industry still needs a staggering 89 percent growth in skilled practitioners to address the current backlog of over 3 million skilled developers and IT professionals.

A dangerous lack of cybersecurity skills combined with an increasing complexity of digital infrastructures means organizations must adopt better security tooling and more effective governance processes in order to resolve risk and privacy issues. Additionally, these solutions must allow information to be immediately consumable without requiring hefty budgets to hire even more specialists. Unfortunately, 2021 will most likely amplify this problem, as more business leaders aim to prioritize operational efficiencies and profit over data protection by getting systems online before they are secure.

But for anyone still wondering for whom the data security bell tolls, the SEC and FINRA have made it clear: It tolls for thee.


Tags: California Consumer Privacy Act (CCPA)GDPRPayment Card Industry Data Security Standard (PCI DSS)Risk Management Frameworks
Previous Post

How to Avoid Global Accounting Compliance Time Bombs When Expanding Internationally

Next Post

Theta Lake Deepens Technology and IP Portfolio with Latest Detection Patent for Video Communications

Trevor Morgan

Trevor Morgan

Trevor J. Morgan is responsible for product management at comforte AG, where he is dedicated to developing and bringing to market enterprise data protection solutions that meet ever increasing risk and compliance requirements. He has spent the majority of his career in technology organizations bringing to market software, hardware and services for enterprise and government customers. Trevor has held senior-level, lead positions in sales engineering, product management, software architecture and product marketing in companies like Cisco, Capital One and Ciena. He holds a Ph.D. from Texas Tech University and a bachelor’s and master’s from Baylor University.

Related Posts

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

eu flag

Preparing Your Company for the Latest GDPR Data Transfer Developments & Upcoming Deadlines

by Kevin L. Coy
November 30, 2022

An EU court decision and legislative moves in the U.S. and UK make compliance with privacy regulations increasingly difficult. Arnall...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

uk ico data access

UK’s Data Protection Regulator Signals Crackdown on Access Request Violations

by Jonathan Armstrong and André Bywater
October 5, 2022

Data privacy laws in the EU and UK established the right of individuals to find out what personal information organizations...

Next Post
illustration of group corporate video conference

Theta Lake Deepens Technology and IP Portfolio with Latest Detection Patent for Video Communications

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT