Our IT Executive Roundtables are invite-only events hosted by peers for peers that bring together a select group of senior IT leaders from across industries for topic-driven, intimate dialog on current trends and topics. The group met remotely to discuss bridging the gap between security and development teams led by the CISO of a leading not-for-profit health insurance company. This Session was sponsored by Synk.
In today’s fast-paced world, security and development teams can no longer function in siloes. Each team must help the other to achieve shared goals. This inter-team collaboration can lead to an improved security posture and better productivity. But why is there a security-dev disconnect in the first place? Is it a technical or a people problem? And how can we break this disconnect?
A speaker remarked that there’s often a lack of shared context between security and development teams. Both teams have different goals and responsibilities. When they don’t speak the same language or try to understand each other, it inevitably leads to friction. Moreover, security is always seen as the Center of No! The misconception that the goal of security is to slow things down and impact release cycles is another reason developers and security experts remain unaligned.
The increasing adoption of cloud and agile development may also contribute to friction. Historically, the perimeter of an application was well-defined. Today, the application defines its own perimeter in the cloud and determines which resources it needs at runtime. Vulnerabilities, misconfigurations, and bugs in the cloud context are more complicated and often require assessment by the developers. But how do the security teams inform the developers of these issues at the right time and in the proper context so that the developers can fix them correctly?
An attendee said that the security-dev conflict isn’t a technical problem but a people problem. People lack the will to change. Historically, developers were only responsible for shipping out code at the pace of the market. The security team was only responsible for setting up VPNs and firewalls on their in-house infrastructures. Essentially, the two teams could function independently. Today, they need to collaborate toward a shared outcome. They need to understand each other’s problems and ideas. This breakaway from the original way of doing things takes conscious effort and is often met with resistance.
With ransomware attacks happening at an alarming pace and more zero-day vulnerabilities being discovered than ever before, cybersecurity has become crucial for business continuity. It must be embedded in the fabric of everything a business does. Whether you are writing code for legacy applications or spinning Kubernetes clusters in the cloud, you need to adhere to security controls to avoid compromise. Security can no longer be sprinkled afterward; it needs to be made an intrinsic aspect of software development. All this can only happen when security and development teams are actively collaborating.
A participant mentioned that it’s important to integrate security into development workflows. It shouldn’t be optional. Developers should be held responsible for the quality and security of their code. That said, it’s also important to provide developers with the right tools to test and secure their code, e.g., tools for static analysis and pen testing. The security team should also enable this change by educating developers on security-related topics, like how to check if an open-source library has the right license? Or how to test a code for memory-related issues?
A cybersecurity expert added that incentivizing developers who write secure code can also help. E.g., At the end of a business year, you can award the developers who created the most bug-free PRs. Instead of a prescriptive approach, cybersecurity leaders should take an enabling approach. Instead of telling people what to do, they should enable and empower them to make the right calls on their own.