Digital entrepreneurs: Beware the risks of rushing to market
Start-ups aiming to take advantage of new e-commerce and application development opportunities should be cautious of rushing in blindly, says ViC IT Consulting.
The lockdown has not only fast-tracked many local digital transformation initiatives, it has also caused job losses and a resulting wave of would-be digital entrepreneurs. While many of these people may have brilliant business ideas, they need to be aware that the applications they develop and procure to support their businesses could prove to be their downfall if they are not careful, says Rakesh Sambhu, Head of PMO at ViC IT.
Security should be implemented as part of the software development life cycle from the beginning and should not be implemented for compliance purposes only; it will be too late if implemented at the end of such a development project.
“Breaches are increasing dramatically worldwide, and any start-up whose systems and applications prove vulnerable could suffer reputational damage so severe that they could have to restart the company,” Sambhu says.
Putting security first in the software development life cycle
In the past, security was only considered towards the end of the software development project. Sambhu says this is still a prevailing problem, although there has been a significant mindset change owing to a rise in cyber breaches.
“Bringing security in at the end of the project is not ideal, not least because development teams traditionally used copies of production data for their testing. Dependent on the type of application that was in development, financial data or customer data became vulnerable to misuse,” he says.
“Apart from the legislated information governance regulations such as POPIA and GDPR, enterprises are realising the significant impact that data breaches can have, especially with reputational damage in case of a data breach or leak. Security has now become priority in as early as the scoping phase of a development project, and development teams now use tokenised data for their application development.”
In an ideal environment, building in security from the beginning should be a concerted effort by all members of the development team. This responsibility cannot be abdicated to other members in the organisation, especially with regard to security breaches, and it is for this reason we see the job span for CISOs are short-lived.
Says Sambhu: “An ideal scenario would be a top-down approach where the CEO mandates his exco to prioritise security on all projects. To get to this, leaders of enterprises need to first understand the impact of a security breach before this can be mandated. Security has always been considered a grudge purchase and it has only fairly recently become more evident that it should not be ignored. ViC IT can assist with these types of projects by building roadmaps and classifying the needs versus wants. Budget needs to be made available, and resources have to be trained to be one step ahead of the evolving sophistication of criminals and techniques that they use currently.”
Due diligence for SMEs, start-ups
For software entrepreneurs, start-ups and SMEs, Sambhu recommends following the best practice lead of large enterprises in building security from day one.
For those not developing their own software, it is important to carry out due diligence on the development partner, and to carefully consider the pros and cons of the partnership, Sambhu says.
“It is necessary to consider more than just the security of the application, but also the risk inherent in the partnership: for example, looking at who will own the code and host the application, and whether a shared risk model is appropriate for the business.”