Over the past 18 months, KPMG professionals have observed multiple incidents around the globe in which either outsourced developers, contractors or internal digital development teams have failed to implement consistent security controls across the environments. As organizations grapple with the so-called security deficit caused by the rapid development and rollout of cloud applications to support remote work, we may see more incidents like these. And while incident management isn’t the focus for this post, most will agree that a more useful approach is preventing incidents in the first place.
Security by design is part of that. Some organizations have neglected basic hygiene security practices, leading to large exposures. For example, production code has been published on public code sharing platforms, and subsystem changes have been applied in insecure ways (hardcoding API passwords, re-using third party code, not authenticating back-calls on APIs, inconsistently implementing logic changes and more).
Looking at these examples, I step back and wonder, why aren’t organizations redesigning processes to be simpler, so that the basics are at the forefront of people’s minds and practices? Why do organizations repeat the same mistakes every single time?
Is it a result of individual behaviors, or is it a symptom of broader cultural issues? Is there a better way to proceed, perhaps more automated and linked to a broader ecosystem? How can we focus on achieving better outcomes, while sustaining the creativity and innovation brought by these new teams? And most critically, have businesses done enough to fully understand their digital teams’ needs and to implement the nimble and agile processes that will support them?