Addressing The Speed-to-Market Paradigm
Our cybersecurity moonshot will start to gain momentum when we begin to change fundamental behaviors causing an unhealthy tech ecosystem. These behaviors lead to poor cybersecurity and are the direct causes of the challenges we face. Seeking to change one behavior will not be enough for our moonshot, so we will have to peruse multiple, parallel paths to make a comprehensive moonshot.
How do we begin to change these behaviors?
We explore the difficulties of changing the long practiced behaviors that cause poor cybersecurity in The Cyber Conundrum. One particular behavior which we explore in detail is what we call the speed-to-market paradigm. A paradigm is a model of behavior that is often replicated without question. In our case, getting software or technology products to market quickly to deliver new capabilities to gain market share or to keep up with competitors is critical to most tech companies. The rapid pace of product development that comes with a competitive landscape often comes at a price, poor security.
The The Cyber Conundrum provides ample evidence that while some companies’ product development processes don’t ignore security, for most, security is often an afterthought or not considered at all.
So, how do we alter the speed-to-market paradigm to consider introducing better security into new products and services?
- First, we need to acknowledge that security needs to complement innovation, not benefit at its expense.
- Second, we need to realize that competition drives behaviors in the free market.
We need to find a way to promote the adoption of better security practices and principles in the product development and innovation process. One way to do that is by arming technology buyers with enough information to make better purchasing choices based security.
For example, the Cloud Security Alliance’s STAR program allows cloud services vendors to publicly disclose security controls in their products by filling out a questionnaire called the Cloud Controls Matrix (CCM).
The CCM is mapped to globally accepted security standards (e.g PCI, NIST, HIPAA, ISO) giving it instant standing. The STAR program offers service providers different levels of transparency allowing vendors to self attest to security controls built into their products and creates an auditable framework that can be used for periodic assessments or continuous security assurance based on the providers maturity level.
"We need to find a way to promote the adoption of better security practices and principles in the product development and innovation process."
What does this mean for buyers?
In the cloud services world, providers who use STAR offer a window of transparency into the security controls and proficiency built into their products. If we teach more companies who are buying cloud services the value of the STAR program and how to use CCM to make buying decisions, we’ll help influence healthier buying decisions.
If companies begin to demand providers fill out the CCM as a condition of their buying decision, more vendors will start to adopt its use. The funny thing about transparency is, that it often drives competition. If two competing providers demonstrate different levels of security competency through their CCM disclosures, it may give the more secure provider an advantage over the other.
As more secure providers begin to gain market share, others will begin to catch up by closing gaps in their product’s security controls driving better security in the tech ecosystem. Improving security through market based preferences is a long term objective and will take time. Scale is key, the more buyers who use CCM and ask for audits, the more widely it will be adopted. Over time, demonstrating security proficiency in the cloud will be a table stakes proposition.
Of course, cloud services are one part of the tech ecosystem. Creating similar market shifts in the way commercial software and tech enabled products are purchased is important to our cybersecurity moonshot. Before we begin to change the speed to market paradigm in the software, tech services and tech enabled products (IOT, mobile devices, etc.) buyers must begin to demand more security transparency and make buying decisions with security in mind.
We will truly alter the speed-to-market paradigm of innovation at the expense of security when buyers begin demanding innovation and security together.