Challenges in Integrating Cybersecurity into Existing Development Processes 2020-01-0144

For an established development process and a team accustomed to this process, adding cybersecurity features to the product initially means inconvenience and reduced productivity without perceivable benefits. Adapting development processes to take cybersecurity into account introduces challenges not present in engineering divisions so far. Strategies designed to deal with these challenges differ in the way in which added duties are assigned and cybersecurity topics are integrated into the already existing process steps. Cybersecurity requirements often clash with existing system requirements or established development methods, leading to low acceptance among developers, and introducing the need to have clear policies on how friction between cybersecurity and other fields is handled. A cybersecurity development approach is frequently perceived as introducing impediments, that bear the risk of cybersecurity measures receiving a lower priority to reduce inconvenience. Moreover, this leads to frustration among cybersecurity developers when their proposals are not accepted, and they feel their work is not appreciated. On the other hand, putting too much emphasis on cybersecurity leads to feature creep and makes the development unnecessarily complicated without producing appropriate results. It seems natural to orientate oneself by how safety topics are handled in the development process and adjust this to accommodate cybersecurity. It is, however, not clear in which way these added responsibilities should be assigned, as conflicts of interest occur when a single person must additionally take cybersecurity goals into account, which might be clashing with other project goals this person is responsible for. Ideally, cybersecurity aspects are considered and integrated into development processes not only to fulfill customer and legal requirements, but also to enable developers of functionalities not directly related to cybersecurity to produce better and more robust results as shortcuts are no longer easily possible.