Imagine building a residential house, but instead of integrating all the plumbing under the floors and within the walls, you leave it to the last minute and are forced to make compromises as you run pipes around the outside.

The house may look like some cool hybrid steampunk version. Functionally, it would be very inefficient and create more problems, particularly when it comes to insulation.

The point is, integrating the plumbing into the core foundations of the floors, walls, and ceilings goes beyond aesthetics; it also enhances efficiency through the use of shorter, insulated wrapped pipes.

Security should not be an afterthought – though some have not got the memo. Creating an API platform, and then putting a firewall (such as AWS’s WAF) in front does not security make.

The importance of integrating security in every step of the architecture comes from the top – from you, the Chief Technology Officer. Whether you are building or integrating software, the question remains the same: at each step, what exposure are we introducing to the system and what can we do to mitigate it?

Too many times, I have sat with an engineer, all proud of their sophisticated encryption algorithm choice, but they have misunderstood how key management works and effectively left the key under the mat in enterprise terms.

Security is more than choosing algorithms, cipher selections, and key management. It is about identifying the attack surfaces and minimizing those as much as possible. Attack surfaces appear all the time. What was perceived as secure today may no longer be the case tomorrow.

As a CTO you should be asking (and having answers) the following questions:

• How does your architecture cope with an evolving security threat?
• How do you know your defenses are still operating?
• Do you know if you are under an attack at this moment?
• Have you got the adequate logging on that will alert you to a potential new threat?
• Has someone managed to be creative and fool one part of your system into doing something you hadn’t thought of?
• Any unusual activity going on?
• If you did detect an intruder, do you have a kill switch?

There are many layers to security; from prevention, monitoring, detection to reaction, they all play their part, and everyone in your team has to be aware.

Security isn’t something you purchase and add on, it has to be part of the foundation (the DNA) of everything you build/integrate. Every person in the team has to be fully aware, as it takes only one breach in the dam for the water to start coming in.