At Corsec, we just celebrated our 15th year of business in the security validation consulting industry. As you might imagine, we spent some time reflecting on the changes we have seen in the industry, the customers we have had the pleasure to work with, and the successes and failures we have seen over the years.
There were a few specific things that kept coming up in these discussions—three factors we could identify that predicted success or failure in security validation projects.
As we mentioned in our last post, there are many things to consider when starting a security validation, but in specific, we identified ROI, organizational involvement, and planning for change as three of the most crucial areas that can either make or break a validation project.
Money is important. That is a little like saying “the grass is green” or “the sun rises in the East.” Everyone knows money is important. However, it is not the “cost” side of validations that impacts success, it is the “income” side. Don’t misunderstand. The cost side of validations is important. You wouldn’t begin a validation if the costs were not in line with what you could justify spending. However, real success comes from the return on investment you can get from a validation. Many product companies begin a validation and fail to educate their marketing and sales staff as to what it means. They don’t put out press releases highlighting their validations. Their website doesn’t have a clear indication of the validations they have worked so hard to achieve. They have not planned a recertification strategy to make sure their product validation stays fresh. Every single thing I just mentioned costs very little compared to the initial expense of a security validation. However, they all contribute significantly to the ROI that can be recognized for the validation effort.
Involvement throughout the organization is another factor we have identified that is critical to the success of a project. Many product companies view security validations as being the responsibility of the engineering team. While it is true that the lion’s share of work will fall on engineering as they work through validation issues, this does not mean the rest of the organization has nothing to contribute. Making sure each stakeholder is aware of the project, understands what decisions are being made and what tradeoffs are considered, and is aware of when critical events will occur is important. Organizations that make sure all stakeholders are involved reduce project failure and maximize project success.
Plan for change. Security is a dynamic industry and we learn more and more each year about how to design and build secure products. In an industry like this, change is inevitable. However, when looking to embark on a validation process that can last up to 18 months, dealing with change can be a daunting prospect. It is critical to understand the areas that are likely to change, and plan accordingly. This requires you to make sure that your company, or your security consultant, understands what is currently going on with regards to security validation standards and testing methodologies. You need to plan well from the beginning to make sure that your product design includes the ability to change so that when something occurs that you did not predict, you can deal with it quickly and efficiently.
There are certainly lots of other factors that contribute to the success or failure of a validation effort. But keep these three key points in mind as you prepare—they stand out above the rest. I can’t wait to see what the next 15 years will bring for our industry and for Corsec!
How can our experience help with your company’s security validation? Contact us to find out.