Companies today are often not equipped to sell secure software, because they are not incentivized to do so, and because consumers are in no position to demand it. But this market failure won’t last long.
Governments are in the process of passing new laws to ensure higher standards for software security and data privacy. The era in which tech companies inadequately test their software for security and privacy vulnerabilities is coming to an end. Last year, for example, California became the first U.S. state to enact basic standards for software used in the “internet of things.” And various proposed state laws around the country would raise the penalties for privacy or security failures. Similar efforts are ongoing around the world, from India to Brazil.
Software companies and their corporate customers shouldn’t wait to take action. To start with, they should not only gauge their level of security in terms of the patches they install or the incidents they respond to, but also consider the labor-intensive, ongoing processes they devote to preventing privacy and security vulnerabilities. That means that the time devoted to testing software and maintaining it once it is deployed will become central metrics in securing enterprise data.
Companies that create and deploy software can ready themselves by adopting two additional strategies.
First, they must focus on embedding security processes into the software design and deployment life cycle as early and as often as possible. Companies that purchase software should continuously track their attack surface and ensure that the teams appointed to simulate attackers are actively probing company networks and testing security readiness.
Second, companies need to connect the resources they spend on privacy and security to the volume and complexity of the code they seek to protect. As the number of lines of code in any given software system grows, or as its user base expands, organizations will have to increase their efforts to protect the privacy and security of their customers.
Soon, a less than robust software security strategy will become more than a public relations liability; it will become a serious legal vulnerability. It’s best to be prepared.
(Andrew Burt is chief privacy officer and legal engineer at Immuta.)
Copyright 2019 Harvard Business School Publishing Corp. Distributed by The New York Times Syndicate.