Despite growing recognition of the importance of cybersecurity to organisations in Australia, more often than not, it's still regarded as an afterthought in the implementation of new solutions.

For most of boards, it's difficult to justify the expense on security until after it's too late and its already suffered the consequences of a cyber attack.

SecurityBrief spoke to Aura Information Security Australia country manager Michael Warnock about what it means to implement secure IT systems from the ground up.

A security by design approach enables CSOs to proactively identify the security risks in their business early on enabling them to remediate vulnerabilities when it is most time and cost effective.

After all, if companies don't have the visibility of the information security risk they are introducing, then the organisation is potentially leaving more valuable information assets wide open for cybercriminals.

The most common challenge continues to be to articulate the value of implementing versus the risk of not implementing, and secondly evaluating current staff skills and the development needed to be able to ‘code' securely.

However, it should be also noted that being secure by design is an ongoing process and not one that is forgotten as soon as a project is complete.

IT systems aren't static.

They are modified and patched once deployed and have an inherent risk that needs to be managed by IT teams as part of any risk and compliance management program.

Organisations should look to augment their recruitment and look for developers who are trained in DevSecOps.

Working with a partner like Aura which can implement training and development programs for their teams is also worthy of consideration.

CSOs should also add secure code reviews to a development program which will provide insight into any issues in a development plan early on in the cycle avoiding the challenges where these are normally ‘tested' very late in the program.

Aura considers a secure by design approach to include the following four-phase process:

1. Design Phase – potential security risks are identified by software and infrastructure security architects.
2. Build Phase - our consultants help CSOs check that they are building their systems in a secure way.
3. Test Phase – conduct of end-to-end penetration tests to ensure any security flaws are remediated and provision for full visibility.
4. Operate Phase – ongoing analysis, reporting and security optimisation occurs for the duration of the system's operating life.

There is a saying that goes, “you can only protect against what you know is attacking you”.

When a vulnerability is identified, the need to defend against this is time critical.

By deploying a shield approach to vulnerability management the physical source code ‘recoding' allows for a wall to be established faster defending you from the bad guys.

The philosophy Aura promotes is that any prudent security program should have code remediation as an element, so we don't say don't fix your code, but use a shield to give you time to get that done correctly.