At the Australian Institute of Company Directors Governance Summit 2023, Dr Jane Lute, Former Deputy Secretary, US Department of Homeland Security, asked,

“How can we build secure systems from components that aren’t?”

In today’s digital age, building secure computer systems is essential to protecting sensitive data and ensuring that organisations can operate safely and effectively. However, the challenge of building secure systems from components that aren’t inherently secure is a complex one that requires a multifaceted approach – it’s a wicked problem. In this article, I explore some key strategies organisations can use to build robust, secure systems.

Secure Configuration Management

One of the essential strategies for building secure computer systems is to implement secure configuration management. This strategy involves setting up a baseline of secure configurations for all devices, applications, and systems. By configuring systems with security in mind, organisations can reduce the risk of security breaches and ensure they protect all devices against potential vulnerabilities. Approaches include implementing measures such as disabling unnecessary services and ports, ensuring that software is up-to-date with security patches, and setting strong passwords and access controls.

Access Control

Access control is another critical component of building secure computer systems. Access control involves implementing policies and procedures that control who can access what data and resources. This strategy includes implementing strong authentication and authorisation mechanisms, such as two-factor authentication or role-based access control. The aim is to ensure that only authorised users can access sensitive information. By limiting access to sensitive data, organisations can reduce the risk of data breaches and ensure that data remains confidential.

Encryption

Encryption is another critical component of building secure computer systems. Encryption involves converting data into a coded form that authorised parties can only read. By encrypting sensitive data, organisations can protect against data breaches and ensure that only authorised users can access the information. Encryption is essential for sensitive data such as financial or personal identifiable information (PII). 

Network Segmentation

Network segmentation is the process of dividing a network into smaller subnetworks, or segments, to reduce the impact of a security breach. For example, organisations can limit the spread of malware or other security threats by segmenting the network and ensuring that only authorised users can access specific network segments. This strategy is essential for organisations that deal with sensitive data or that have high-security requirements.

Application Security

 Application security is another critical component of building secure computer systems. This strategy involves implementing secure coding practices and testing applications for vulnerabilities before deploying them. By ensuring that applications are secure, organisations can reduce the risk of security breaches and protect all systems and data against potential threats. This strategy is crucial for organisations that develop custom software or applications.

Monitoring and Incident Response

Monitoring and incident response are essential components of building secure computer systems. This strategy involves implementing tools and processes to detect and respond to security breaches quickly and effectively. By monitoring systems and data for potential threats, organisations can take proactive steps to prevent security breaches and respond promptly to any incidents that do occur. This approach includes implementing intrusion detection systems, security information and event management (SIEM) systems, and incident response plans.

Security from Insecurity?

Building secure computer systems from components that aren’t inherently secure is a complex challenge that requires a multifaceted approach. By implementing secure configuration management, access control, encryption, network segmentation, application security, monitoring and incident response, organisations can reduce the risk of security breaches and protect all systems and data against potential threats. While no system can be 100% secure, implementing these strategies can help significantly reduce the risk of security breaches and ensure that organisations are well-prepared to respond to any incidents. Furthermore, organisations can build a strong foundation for safe and effective operations in today’s digital age by prioritising security and investing in robust security measures.