May 26, 20220 mins read
During SnykWeek Boston, Simon Maple (Field CTO, Snyk) led a panel discussion about developer adoption of application security. The panelists included:
Nicole Holden, Manager of AppSec at Datto, Inc.
David Matousek, Director, Lead Technical Product Owner, Cybersecurity Engineering at Manulife
Chris Gervais, former CTO & CSO at Kyruus (recently joined Ready Education as CTO)
Want the TL;DR? Here are some of our favorite takeaways:
Even at a very decentralized organization, it’s key to centralize security monitoring
Transparency enables teams to be more data-driven and successful
Set harder security goals year over year to realize continuous improvement
Automate compliance wherever possible to help developers do the right thing
Read on to dive deeper into these illuminating insights around organizing security teams, setting security goals, empowering developers, improving compliance, and much more.
Combining centralized and decentralized security teams
According to David Matousek, Manulife’s decentralized security program initially grew organically — with security teams located across different geographic regions throughout Asia, Canada, and the United States. “Each one of these organizations developed a culture of security that was based on regulations inside of their country,” stated Matousek in the panel discussion.
As Manulife grew to over 3,000 developers worldwide, the company didn’t have insight into each of these business units. “So we took the decentralization of our implementation,” Matousek explained, “but centralized our monitoring so that we could understand how the different areas were securing our applications.”
The advantage is that the company has hyper-local teams doing security and creating application security processes that make sense to the development teams they support. At the same time, Manulife has all the information at an enterprise level to make data-driven decisions for the business and provide value to customers.
The importance of setting security goals
At Manulife, transparency from the local team all the way up to the enterprise level also enables the organization to set overall KPIs. “Our key risk indicators of our enterprise help us understand where we need to step up our game,” Matousek said. “And when we meet all of those goals, we make them a little bit more difficult the next year.” He says this has led developers to be more efficient by creating processes to automate security, which has led to many positive changes in the organization.
While Nicole Holden agrees that it’s important to set security goals at the enterprise level, she believes it’s also critical to support goals that come from individual development teams. “Goals need to be bi-directional,” she explained. “So if the leadership is aware of the goals of the development teams and supports them, developers will be more motivated to support the goals of the organization.”
Chris Gervais also believes it’s the leadership’s responsibility to share those goals across functions so the rest of the company can understand how these goals relate to each other. “It’s really important to ensure that this isn’t just a security or engineering thing,” he added, “but they’re truly cross-functional goals for the business.”
How do you get developers on board with compliance?
According to Gervais, it’s not about getting developers to love compliance, butt getting them to understand the business reason behind it. While many developers believe security is only about complying with auditors, it’s actually a requirement for most customers.
“We’re trying to be best in class at being a trusted partner and we need to recognize that we’re part of our partner’s digital supply chain,” Gervais said. “And that broader context about application security sometimes gets glossed over.” It’s the security team’s role to help developers understand that security and compliance build trust with customers and are critical to the business.
Holden added that most of Datto’s clients are SOC2 compliant, so adhering to compliance really is a business requirement. “The nice thing is that when you have those compliance processes in place,” she explained, “that is when you start creating your own standards, policies, and frameworks for this work, it ties right into the compliance structure.”
For the distributed teams that Matousek deals with, compliance is a little bit different in each region. “The key is to automate the compliance requirement away,” he suggested. “Then when developers from another business unit come to the security team with a compliance problem, you can scale your automated compliance processes.” The more you can automate compliance requirements, the easier it is for developers to do the right things.
What does developer empowerment look like?
The panelists agree that developer empowerment is crucial for effective application security, but they each have slightly different opinions on how to achieve it. “You definitely reach a point of critical mass, and it all goes back to trust,” Holden said. Your developers have to trust the security team to support their projects, but she says it takes time to build that trust throughout the entire organization. “You start with one developer at a time and eventually everybody is working together knowing they have the ability to do what’s right.”
Matousek believes it’s slightly different for the decentralized teams at Manulife. While he agrees trust is important, Matousek says being transparent about the successes and failures of the security team is the key to building trust with developers across various business units. “The development teams see that we’re not afraid to talk about where we fail,” explained Matousek, “but we also want to show how we succeed.”
In the end, Holden says developer adoption is all about socialization. “Any time the security team wants to start a new project, adopt new standards, pick up a new framework, or bring in a new tool,” she said, “the first step is speaking with development teams.” Starting with transparency and communication is the key to improving developer adoption for every project the security team does.