Approach product lifecycle management with an eye to device security in the digital age. 

Shawn Oreschnick

Today, even the smallest hint of a security flaw is enough to send people running scared. Just ask St. Jude Medical Inc. The Minnesota-based medical device company's stock recently took a dive when Muddy Waters Capital, a financial research group, made claims of "worrying" problems with the security of St. Jude's connected pacemakers and other heart-rhythm devices. In their report, Muddy Waters suggested the recall and remediation of St. Jude Medical's cardiac devices that would result in roughly a 50 percent decrease in St. Jude Medical's revenue for the next two years -- the estimated period for remediation.

St. Jude Medical is now suing the firm for spreading false information to hurt its stock prices. I am sure we have not heard the end of this story. But, this is the first time that the potential for a security breach has resulted in financial impact for a company (i.e. stock prices).

And it's not just healthcare's problem. Virtually every industry from oil and gas and automotive to manufacturing and financial are under increasing attacks from cyber criminals.  In the last year, the number of records exposed in data breaches rose 97%, according to the Identity Theft Resource Center.

Given the statistics, it's not surprising that security is the number one barrier to connected technology adoption, according to Vodafone's annual Barometer report. We know it's a problem, yet in the race to bring connected solutions to the market, security is often an afterthought.

A truly successful security strategy for connected devices will require security measures throughout all phases of the product lifecycle to better protect your company and your users.

Roadmapping

You might not think there is a need to think about security this early in the product lifecycle, but the Roadmapping Phase is the perfect place to start planning. Preparing for a cyberattack sounds dire, but it's important to consider who might attack the device or application to determine your risk. This is known as threat modeling.

In the process of threat modeling you explore what information cyber attackers might want and how they might gain access (entry points) and get out (exit points). Every avenue must be evaluated and assessed. With connected technology, your entry or exit points may even be devices or applications to which your product connects. Once you have identified the potential threats to security, you can estimate the total damage potential, how a breach would affect users to determine your overall risk.

But, threat modeling is exactly what it sounds like--a model. It is limited in its scope and while it will help you to understand the dangers, it won't tell you to manage or mitigate them.

Development

Integrating everything you have learned from your threat model into product design and development is not an easy task--but an important one. As the final product design is narrowed down and defined, security testing needs to occur on new features or functionality that are added to ensure they do not introduce new vulnerabilities. This is also the time to consider all of the devices and applications your product will interface with to ensure they are built with the same level of security.

Finally, before the Development Phase comes to a close, a thorough security review and penetration test should be performed to assess any new vulnerabilities or weaknesses in the product.

Fulfillment

Because cybersecurity risks are continually evolving, it is not possible to completely mitigate all risks during the Roadmapping and Development Phases of the product lifecycle.

Updating operating systems regularly is an important part of your ongoing security strategy throughout the Fulfillment Phase. Hackers target vulnerabilities in operating systems, so regularly installing updates helps close those holes and protect your data. We recommend developing a policy of notifying users of important software and security updates and enforcing update requirements as necessary.

Security is an ongoing concern that is growing larger with every new connected application. Every additional device or connection opens up another possible point of entry for real users and for those with malicious intent. Don't be your own biggest security risk--make sure you address security throughout the complete product lifecycle.

Shawn Oreschnick is director of analytics and research services at Logic PD.

[Image courtesy of JSCREATIONZS/FREEDIGITALPHOTOS.NET]