Security, Privacy Should Never Be a Design Afterthought
Stephanie Balaouras, a principal analyst and research director at Forrester Research, put it a little differently at a recent press event, noting that no one designs an airplane without thinking about security at the start of the design process. "It sounds crazy to deploy and then think about security, but that's what is happening in many organizations," Balaouras told eWEEK. Related to security, Pfleeger said the second erroneous perception was the idea that privacy could also be added back in afterward. Organizations are under pressure to get the service or product off the ground and get people interested to build buzz, he said. While he called out Facebook as one of the culprits of this kind of thinking, he said other social media sites and organizations were guilty of the same. Facebook is the poster child just because it happens to be one of the largest examples, he said.
Many security professionals say that encryption solves all security issues, but in actuality, that expectation is "overrated," Pfleeger said. While protecting the data is important, the reality is that there are problems with implementation, leaving data unprotected. Organizations also have difficulty managing the keys effectively, such as storing them in insecure locations, or not knowing where the keys are after essential employees leave the company.