Governments are now moving to tighten data privacy laws and companies who fail to adequately test and improve their standards for data security and privacy are due for a tough time. California started the trend towards stiffer data privacy laws and dozens of other states are following in the absence of a federal standard.

Andrew Burt Wrote this article for the Harvard Business Review:

This new approach is, in some sense, the unavoidable consequence of our widespread adoption of digital technologies: The more time we spend using software-based systems, the more effort we collectively require to ensure that these systems are secure. That will translate to more privacy and security personnel spending more time and resources securing all the software we use.

Companies that create and deploy software can ready themselves by adopting two strategies.

First, they must focus on embedding security processes into the software design and deployment life cycle as early and as often as possible. There are a number of existing methods they can draw upon to do so. Software vendors can look to examples like the so-called DevSecOps movement — a cousin of the more widely known DevOps — which inserts security personnel directly into the ongoing course of development and operations (hence the name).

Companies that purchase software can continuously track their attack surface and ensure personnel such as “red teams,” which simulate attackers, are actively probing their networks and monitoring their security posture.

Regardless of what method they choose, companies will have to demonstrate that security and privacy controls are not simply an afterthought but are a core requirement in and of themselves. Companies will, as a result, be required to carefully track the time and resources spent testing and securing all the software they create or manage.

Second, companies will also need to connect the resources they spend on privacy and security to the volume and complexity of the code they seek to protect. As the number of lines of code in any given software system grows, or as its user base expands, organizations will have to increase their efforts to protect the privacy and security of their users as well.

Tying the intensity of data protection programs to the volume and complexity of underlying security needs is precisely what enacted and proposed laws are calling for, many of which — including the Data Protection Act in Ohio and one proposed bill in New Jersey — mandate concrete, evidence-based, and adaptive data-protection programs.