Updated: May 22, 2019
This post refers to the broad range of (cyber)security including privacy, legal, and compliance spanning development, operations, marketing, sales, services, or support. I'm using a cake analogy, which admittedly isn't the best considering that so many of us want to "have our cake and eat it, too." Beyond that, I think it works pretty well since I can slip in an infamous Steve Jobs quote and everyone already understands cake as well as the concepts of a recipe and ingredients. The focus will be on security, reiterating my belief that it must be an ingredient in your product (the cake) that is baked-in and part of the frosting (versus only in the frosting).
However, cybersecurity is a very expensive ingredient and used in the wrong proportions, it can ruin a product. In rare cases, too much security can make for a product that is too expensive for a customer, has performance issues, or isn't ready to sell on time (if ever) — technology products do have a limited shelf-life. The more likely cases have too little security baked-in and/or there is an attempt to deliver security only as a late frosting. Either situation isn't good, but over-reliance on frosting (e.g., perimeters, operational security, and most incident response driven investments) has the more significant downsides.
One of those downsides is the not so obvious tendency for security and privacy teams to overplay incidents and make "grabs". But it really isn't their fault and they aren't doing it out of greed. They really want to do the right thing and be a properly proportioned ingredient in the product recipe (see our post on Left-Shifting). But security can become aggressively opportunistic given their struggles — being often viewed as a "check-box," "table-stakes," or a tax and seeing their investments cut or moved to other parts of the business (usually those providing new or more robust capabilities). Security and privacy teams are constantly questioned on ROI, which is notoriously difficult to quantify, usually as incident response costs and brand damage. It seems that executives or board-of-directors don't truly understand the fully-loaded cost an incident or breach until it happens — despite there being good data available (e.g., Breach Level Index or F5's decade report). Or, they think "we're not a target," though indiscriminate attacks such as Ransomware should change that thinking. When push does come to shove, capabilities and services (ingredients) that are marketed and have clear, demonstrable ROI get the investments over less tangible things like security (or QA). Or, they get pushed out to later stages as less effective and more expensive "bolt-ons" (frosting). So, when an opportunity or incident arises, security organizations overplay it and make grabs to reduce existing debt or build an escrow (funds, resources, etc.). There are some ways to reduce this downside:
Ensure that security organizations have time in front of executives or board-of-directors and that there is a shared understanding of security posture, risks, and road-map (see our post on the difficult CSO job)
Do incident response simulations that include a postmortem phase where costs and future impacts are estimated.
Involve security early in the product process (recipe) establishing specific security requirements (ingredients) and developing a shared understanding of the real impact to security changes or cuts.
There are many downsides to late stage, frosting approaches, but cost is the most significant and obvious. Though security investments are expensive anytime, their expense increases exponentially later in the process and the only option then may be mitigation versus fixing. Cylidify recommends a tailored recipe with all ingredients in the right proportions. Under proportioning is the most likely case for security and privacy, but it is surprisingly easy and common to have the wrong ingredients or proportions by not tailoring the recipe to fit the market or client needs.
No amount of frosting will mask the taste of a cake that is missing an essential ingredient. (I really can't think of any technology product or scenario that doesn't need some amount of security and privacy.) You might be able to sell a few beautifully frosted but bad tasting cakes. However, the market will figure it out eventually, and you will need to scramble on mitigation. In the case of security or privacy, it may go beyond a "bad taste" to a risk for your customers that can represent a significant cost to your business (short and long-term) and tarnish your brand — sometimes causing irreparable harm. Know your market, develop a recipe with the right ingredients in the right proportions, follow the recipe, and deliver beautiful and great tasting cakes (products) to your customers!