This blog is based on Ronen Lago’s interview on the Left to Our Own Devices Podcast.
Ronen Lago, former executive at Daimler, Lockheed Martin, Motorola, and others, relies on a top-down cybersecurity approach to boost quality and turn cybersecurity capabilities into revenue opportunities.
Market analysis is at the core of how Ronen modernizes the companies he works with.
During his military service, Ronen was tasked with securing advanced edge capabilities, intended for ruse by friendly governments around the world. Being on the cusp of data and intelligence, sharing top secret data left no room for error, requiring him to reimagine the best practices of the time. The best way to achieve that was to understand what his enemies knew, their capabilities, and their deep drivers.
At the same time, this ultimate security machine still had to be used by everyday users. Too much security and the device won’t be usable. Too little, and national secrets get released on the deep and dark web.
Low security standards put brand reputations on the line
The idea of cybersecurity as a market enabler, instead of an IT headache has seen companies, such as Daimler, reach the market in a way that other companies are nervous to approach. Owning security standards allowed them to tell prospective buyers “Our car is safety. Our car is security,” distinguishing them as customer-first in every way.
In the past, products would be near the completion of their development and right before they went to market, cybersecurity teams were given a narrow window to review the product and make changes. Unfortunately, many of the recommended security-related fixes were impractical due to the need to reach the market, forcing security specialists to watch as non-secure products were delivered to customers. “If we look at a classic organization today, some of them have security getting into the game very late– after most of the product was developed and everything is almost ready. Now, we want to go to the market and a minute before we say ‘Okay, let’s try to do something with security’. At this point, the ability to really fix or to influence the product is minor. Those small teams need to invest a lot of effort in a very short time.”
What companies must remember is that a customer doesn’t care why a problem occurred, whether it be from an in-house developed component or something made by a third-party vendor. All they want to know is why something broke and how it can be fixed. Even after a fix is issued, the reputational damage done to the brand can’t be undone and they will once again need to prove themselves as secure and reliable, even after the sale is completed.
Shifting left creates magical synergy and tangible results
This old way of bringing cybersecurity teams into fold at the end of production is becoming a thing of the past. As executives turn an eye to cybersecurity, more are bringing cybersecurity teams on-board to be part of the development process from the beginning.
“Organizations today understand what we call ‘shift-left’, starting as early as possible and getting those security teams in the room as early as possible in the process,” said Lago on his ideal approach. “Even a two hour session on security architecture when they design the product can streamline the entire development and deployment process. It’s low effort, but the meetings have people understanding the right mechanisms, with the right hooks, and the right mindset. Simple security awareness training for developers can allow one security specialist to guide 100 developers.”
Considering the strain on teams to find skilled cybersecurity specialists to join their team, this ability to influence the development of a product from a security perspective will allow teams to clear all the noise that they usually have to deal with. Mistakes can be caught earlier, before reaching the QA team and developers feel empowered with clearer guidelines along with a galvanized purpose in the way they code.
What’s more, organizations can reduce stress while maximizing efficiency. Lago explains “The benefits go beyond security. You will be able to do some preemptive actions earlier in the process. It will be more efficient, it’ll cost you less and hopefully will allow you to go to market faster because you’re not waiting until the end to take care of handling some serious stuff. The benefit is huge to the company if done right.”
For future market winners, compliance is just the beginning
The future is ripe for those who maximize their cybersecurity capabilities along with user experiences. They will have the organizational structure to adapt faster, update products faster, and recognize market demand earlier.
For this to happen, a true shift-left approach needs to occur, beginning with executives. Each team must force security teams to be involved as early as possible in the process, until both sides understand that they benefit from it. Developers gain from having fewer issues when presented to quality assurance teams and can develop safety with users in mind. Security can focus on real issues instead of wading through the noise which often fills their day.
Once this inter-departmental conversation flows, it is amazing– but to get there, you need very close executive attention. “At the end of the day, if you drive a car, you want to make sure it’s safe. Drivers don’t want it to be safe only on the day it was purchased. They want to make sure it’s safe after two years. they want to make sure it’s safe after it undergoes maintenance in the garage,” explained Lago.
Just as you don’t second guess the security of your phone’s latest update, companies must make sure devices remain secure from as early as design all the way through the end of the product’s life. “Still, regulation and compliance are one of the key driver for executives. Without it, they cannot do anything,” continued Ronen. “For example, medical device manufacturers want to comply with the FDA even before they comply with cybersecurity standards because without it, they can’t go to market. So, if the FDA comes out with security regulations, device manufacturers will meet them.”
“But when we talked before about the winner, those are the ones who will understand that compliance is only the first level. Yes, it’s the enabler to pass the gate, but if you want to win the market, you must have a different mindset. You must understand that you need to do things differently and not just, you know, do the checkbox and cross the bar. By taking ownership and saying ‘we are compliance’. this is the difference between being in the market or winning the market.”
It’s all about balance
Organizations need to understand that the security and threat landscape will touch every part of their organization. When it comes down to it, shifting left can make things more efficient but it takes an executive mindset and reliance on advanced automation tools to truly clear the noise and focus most on what drives the business.
Lago clarified, “Security teams need to work hand to hand with the product team because at the end of the day, both of them need to remember that they have a customer to sell to and that the product needs to be high quality while also get faster to market.”
Every new device a company deploys needs to be developed with the highest cybersecurity standards yet still work for the end user seamlessly. Ongoing for hundreds of device components can only be done by automating security processes throughout development, freeing time to consider user experience and market needs.