A common complaint against Information Security (be it IT security, OT security, or IoT security) is that security costs money but doesn’t deliver business benefits. Wrong!

In a short-term perspective, security incurs cost. Thus, quarterly reporting by organizations and short-term targets pressure security to be an afterthought. However, mid-term and long-term, this changes. It obviously is cheaper to code using simple APIs for security functions than hard-coding security into every application and maintaining that code. Application Security Infrastructures reduce cost. Even more, it makes application development more rapid and agile – the security infrastructure can be changed, updated, and enhanced without affecting applications.

Or, to bring up an example from another recent post:

But that is only one part of the problem. The lack of Security by Design and Privacy by Design is also becoming an inhibitor for the Digital Transformation. An essential element of the Digital Transformation is the change of business models, including rapid innovation and (ever-changing) partnerships.

A simple example that illustrates the limitations caused by the lack of security and privacy by design is the black box EDR (Event Data Recorder) becoming increasingly common an increasingly mandatory by legislation. Both automotive vendors and insurance companies are interested in “owning” the data held in such devices. While I come to the complexity of dealing with data access demands and requirements of various parties later in this post, it is obviously impossible to easily solve this conflict with technology that e.g. relies only on a single key for accessing that data. Modern concepts for security and privacy would minimize such conflicts by allowing various parties to have defined and controlled access to information they are entitled to access.

Cynically said: automotive vendors are rushing to roll out new features to succeed in the Digital Transformation, but by failing to do it right, with Security by Design and Privacy by Design, they are struggling with exactly the same transformation. Neither security nor privacy can be an afterthought for succeeding in the Digital Transformation.

Another example is the scenario described in the recently published Lloyd’s report “Business Blackout”. This report describes the cost of cyber-attacks against the US power grid. While this is more about the cost of security as an afterthought, there is also an indirect agility aspect: new regulations will require better security – and then security by design drives agility.

In general, the ability to provide services in these times of ever-changing (and ever-tightening) regulations as well as massive differences in regulations depends on the ability to re-configure your services, instead of re-coding them.

And maybe even Facebook would have been better advised in spending money for security and privacy by design instead of for lawyers and lobbyists in Europe. Then many more Europeans might use Facebook actively then do today, with more controls for privacy they could use to configure Facebook’s behavior.

The good thing, though, is this: once you have prepared your organization for security by design and privacy by design, it becomes more agile. It is ready for faster development of software or connected things and for more agile transformation of business models. It is a one-time investment, so to speak – with massive long-term, as well as near-term benefits.