Our IT Executive Roundtables are invite-only events hosted by peers for peers that bring together a select group of senior IT leaders from across industries for topic-driven, intimate dialog on current trends and topics. The group met remotely to discuss bridging the gap between security and development teams led by the CISO of a leading real estate investment trust company. This Session was sponsored by Synk.
To ensure the secure development of software applications at the pace of the market, it’s crucial for security and development teams to work together closely. Security can no longer be an afterthought or the sole responsibility of the security team. It needs to be made an intrinsic part of the software development life cycle. But how do you bridge the gap between developers and security professionals? How do you cultivate the ideal relationship between the two teams?
An executive said it can be difficult for different teams to stay aligned in today's fast-paced world. Developers and security professionals have different aspirations and goals. In a cloud-centric and agile setup, developers are expected to build, test, and ship applications fast. They are focused on these questions:
Conversely, the security team strives to ensure that applications remain free of exploitable bugs and vulnerabilities. They are focused on whether open-source packages have a valid license and if there are any security hotspots in this newly pushed code. These contrasting goals and responsibilities are the main reason why security and development teams are still siloed in most organizations.
A participant suggested that to break the silos between security and development, there is a need to promote active and open collaboration between the two teams. Both teams should share ideas, discuss features, and agree on secure coding processes and practices. It also helps to conduct regular security training and workshops to educate developers on the latest security developments. Invest in modern security tools that both developers and security experts can use for static code analysis, penetration testing, and vulnerability analysis.
While describing the ideal security-dev relationship, a speaker used the analogy of a bike and its chain. If the chain is too tight (i.e., the relationship has too much friction and adversity), it might slow you down (i.e., increase speed to market). If it’s too loose (i.e., no friction at all), it may come off (i.e., downtime resulting from a cyberattack). Having a healthy amount of friction between the two teams is imperative, promoting secure development but not hindering productivity.
A contributor mentioned that security shouldn’t be regarded as a cost center but as a business enabler. All stakeholders must agree that securing applications is just as important as releasing them quickly. A robust security program will protect against potential cyberattacks and ensure maximum business continuity. It’s important to nurture an organizational culture that establishes security as a shared responsibility. Building a security champions program to spread security awareness, conduct periodic audits, and refine security controls can help.