5 ways to improve security during digital transformation
10 de abril de 2023
0 minutos de leituraDigital transformation initiatives have pushed software development to the next level. Today's consumers demand an optimum customer experience and expect modern apps to live up to high expectations. So, the average developer in 2023 must keep up with faster delivery, more eye-catching features, and better functionality.
This unprecedented growth in the software development industry has led to a massive disparity between development and security teams. While the introduction of DevSecOps helped these two teams start collaborating, the problem remains.
Why? Because DevSecOps mostly focused on embedding security into DevOps. It was all about how development teams should implement security. But it didn't train or equip security teams to work with the complexity of modern-day development environments.
Security and development teams are still at odds
The bottom line: security and development teams still have different priorities, cultures, and practices. Digital transformation only continues to push them further apart. Many security professionals lack the resources to learn how a modern-day development process works, making it tricky to collaborate with developers. Here's how this disparity continues to play out as digital transformation and security continue to collide:
Developers receive pressure to go faster, while security teams implore them to slow down so they can integrate traditional security solutions into the SDLC.
Security teams often need more personnel and resources, while development teams continue to grow in size as the demand for digital transformation grows.
Current development workflows require agile security tools to handle large projects and work in a complex environment. Yet many security teams still use traditional security solutions designed for large, monolithic waterfall apps with late stage security assessments.
Many developers have had access to security education and awareness for a while, thanks to DevSecOps. But, security still needs education on modern development processes, systems, components, workflows, goals, and needs.
All of these factors lead to frustration for both teams. On one end, security teams wonder why the developers won't follow instructions. On the other, developers find it difficult — if not impossible — to meet the security team’s demands.
Janet Heins, CISSP award-winning security expert, global IT leader, and advisor at iHeartMedia summarized the developer's experience with security: "I hand over my code to someone to tell me what security flaws I have, then I go onto something else, and two days later they come back, and I'm not even in that code anymore, and they list the flaws that I need to go find, fix, and resubmit — it's just super disruptive."
Richard Bird, Chief Security Officer at Traceable, has observed this ongoing tension between security and development: "No company I know of is performing at a world-class level in this space. I believe many companies are doing an okay job of balancing the challenges and tensions between security and development teams. Still, even the higher-performing DevSecOps organizations struggle tremendously with the friction caused by how long it takes security resources to address remediation. Most importantly, being just okay isn't remotely good enough to defend against, let alone win, against the bad guys."
In this post, we'll take a look at 5 things you can do to reduce that gap. For a deeper dive, check out our longer playbook: Why modern security teams need a transformation (and how they can do it).
How to bridge the security gap during digital transformation
We need to go beyond implementing DevSecOps on the developers' end. It’s time for security teams to bridge their side of the gap too. Here are a few actionable steps for them to foster better collaboration with development:
1. Increase Awareness
Education needs to happen on both sides of the equation. DevSecOps has typically focused on educating developers on security best practices. Security needs to put in just as much work. Security professionals should take the time to understand development priorities, processes, systems, workflows, and goals, ultimately aiming to become trusted partners.
2. Select the Right Tools
Security solutions must be developer-friendly: easy to learn, intuitive to use, and seamlessly integrated into familiar workflows. Developers have to balance several priorities at once; security is often one of the last things on their minds. So, security teams need to find tools that developers can use with minimal effort outside their daily processes.
3. Ask the Right Questions
Picking the proper security tools is one thing; putting them into your organization's SDLCs with the right security strategy is another. It's essential for security teams to ask the right questions as they select and integrate tools into the developers' workflows. A few examples of good questions to start with:
What are the best ways to seamlessly integrate our solutions into the development team's workflows without impeding their cadence?
How can our solutions deliver the most relevant, problem-solving, actionable results for developers?
4. Initiate Effective Internal Practices
Security teams should also establish and define security and developer roles, then monitor with designated metrics. Define who owns what, who's accountable for each element of the security process, and, generally, what security-development success looks like. Many teams benefit from using scorecards to track these metrics.
5. Celebrate Success
When someone on the development team does something significant for the development team's security process, celebrate them! It's a great way to spread awareness and encourage other team members to contribute to security initiatives.
A mindset shift for security teams
With today's threat landscape, it's no longer optional for organizations to break down these barriers between development and security teams. And let's be honest — neither team wants to deal with this tension anymore. Fortunately, there is a way forward from here. It’s all about creating a true culture shift of roles, responsibilities, and collaboration amongst developers, DevOps/platform, and security alike. This mindset shift gets everyone on the same page, enabling security teams to work alongside modern software development — now and for years to come.
Find out more about transforming security teams by downloading our playbook, Why modern security teams need a transformation (and how they can do it).