How Xero embeds security into every product development stage

Mark Knowles, General Manager of Security Assurance at Xero, discusses embedding security by design and fostering a cyber-aware culture within the company.

After conversations at Security Edge, Mark Knowles shared insights into the company’s proactive approach to cyber security.

Xero, a global cloud-based accounting software provider serving accountants, bookkeepers, and small to medium-sized businesses worldwide, places importance on robust security measures due to the sensitive nature of the data it handles.

By embedding security into the very fabric of its product development process, Xero ensures that cyber security is a shared responsibility across the organisation.

Security by design and collaborative development

Mark emphasised that Xero incorporates security measures from the inception of product development, reducing costly revisions and ensuring products are secure upon release.

Speaking to ADAPT’s Principal Research Analyst, Peter Hind, Mark highlighted that early involvement of security teams ensures seamless integration of security measures, supporting innovation rather than hindering it.

Organisations adopting this proactive approach achieve 1.3x better cyber resilience by designing security into new systems from the start, reinforcing the value of embedding security early in the development process.

A cornerstone of Xero’s approach is the Security Champions Program, which empowers employees across departments to act as security advocates.

Participation is voluntary, with champions dedicating four hours monthly to training and discussions.

Additionally, gamified methods such as competitions and rewards make cyber security education engaging, boosting participation, retention, and vigilance against potential threats.

Global security strategy

Operating across multiple countries, Xero tailors its security practices to meet diverse regulatory requirements and cultural contexts.

This global perspective ensures robust and compliant security measures, safeguarding sensitive data worldwide.

Australian security leaders broadly reflect this commitment as they allocate an average of 21% of their overall IT budgets toward infrastructure protection, reflecting a growing recognition of the importance of early and adequate investment in security to protect infrastructure and foster innovation.

Key takeaways:

• Security by design: Xero integrates security measures from the inception of product development, ensuring robust protection throughout the lifecycle.
• Security Champions Program: By empowering volunteers across departments, Xero fosters a culture of security awareness and shared responsibility.
• Gamified engagement: Implementing competitions and rewards makes cyber security education engaging, enhancing participation and retention.
• Collaborative development: Early involvement of security teams in the development process ensures that security enhances, rather than hinders, innovation.
• Global security strategy: Operating across multiple countries, Xero tailors its security practices to meet diverse regulatory requirements and cultural contexts.