Measuring ROI is the bane of many executives, and CISOs remain under scrutiny to prove the business value of cybersecurity efforts, as well as the effectiveness of their program over time.
For years, many CISOs have struggled to influence their development cohort on the importance of putting security first, not to mention working to control an increasingly complex threat landscape and spiraling attack surface, all while navigating a security skills shortage with no end in sight.
They need a new approach, one that helps to uplift the security culture organization-wide while ensuring AppSec professionals and developers alike have what they need to drive down vulnerabilities and subsequent risk. They can inspire a security-first mindset, all while accessing state-of-the-art measurement tools to ensure upskilling and education efforts are working across the board.
The chasm between “good” and “great” developers is widening, and some verticals are ahead of the curve
As much as some of us would like to return to the simpler times of the 1990s, aspects of how we lived life back then simply don’t translate to the present day, and software development is no different. However, many organizations—especially those with complex legacy systems and code monoliths—struggle to modernize their security programs to accommodate a rapidly digitizing world that constantly demands more from software. AI coding assistants can increase the productivity of less complex coding tasks by up to 50% according to one McKinsey study, bringing about further increased code velocity that many are ill-prepared to secure efficiently.
A key element we must get right for present— and future-state code quality is ensuring developers are the beating heart of an enterprise security program. This requires precision, continuous security enablement. There is simply too much code, exposing organizations to unacceptable risk, to leave it all for AppSec specialists to wade through.
The ideal state is a veritable army of security-aware developers, and this is rapidly becoming the gauge for a strong security posture. However, with on-the-job upskilling so hit-and-miss, the gap between “good” and “great” developers is widening, and those lacking fundamental secure coding skills will find themselves left behind.
In my briefings with global CISOs across a range of verticals, most struggle to measure cohort performance in their programs, despite code-level vulnerabilities being a human problem that, ultimately, requires a human solution in the form of security proficiency among the development team. Overall, it has been my observation that enterprises in the finance vertical are more willing to try new approaches to their security programs, and develop in-house talent, and this needs to become the norm in all industries. While not every company has bits and bytes representing actual money in a bank, personal data is the new gold, and protecting it just as fiercely as real currency is paramount.
Meaningful reduction in code-level vulnerabilities is our best chance to secure the software supply chain
There is an age-old standoff between developers and their AppSec counterparts, where there is little empathy on either side for the plight of the other. Developers build, AppSec breaks. There is a serious need to align these teams to one common goal, and that is maintaining code quality and security. Until developers are enabled to assume responsibility for the security outcomes they can control, this friction is likely to remain, and it’s not too dramatic to suggest the future of digital security depends on us – as a wider industry – to get this balance right.
Supply chain attacks represent an avenue for major disruption, and, possibly, the chance of a huge payday for threat actors, so it is unsurprising that these types of breaches are becoming more frequent. As we have seen with the likes of the Colonial Pipeline attack, SolarWinds, Log4j, and the recent thwarted attempt with XZ Utils, small windows of opportunity like misconfigured APIs and successful privilege escalation can lead to years-long exploits that have the potential to affect millions of people. Quite often, these bugs are the result of poor coding patterns that many developers adopt and execute every day, and will continue to do so unless their secure coding skills are honed, assessed and verified.
Cutting-edge CISOs, however, are no longer leaving this to chance, and they are raising the bar with three key tactics:
- Executive buy-in: CISOs have traditionally found some resistance in boardroom conversations, largely due to the notion that cybersecurity is viewed as a cost center, with return on investment difficult to prove.
The best CISOs demand their seat at the table, articulate the necessity of a funded security program, and deliver a vision that their fellow executives can endorse.
- Holistic, developer-driven security programs: Security programs that fail to address the people factor in driving down vulnerabilities clearly trail behind those that do, but true innovation is realized by CISOs who make developers the star of their show.
There are vastly more developers than AppSec specialists – in most enterprises, the ratio is 100:1 or worse – and when the development team can write quality, secure code at speed, the pressure normally reserved for the scant team of security professionals can be eased. In a true DevSecOps environment of shared responsibility, this is not an unattainable cybersecurity nirvana: it’s the standard.
- Continuous optimization through benchmarking, training, and skills verification: What cannot be measured cannot be improved, and the best CISOs adopt a deliberate strategy to measure every part of their programs and devise pathways for improvement.
Developers especially need role-based, comprehensive upskilling pathways, and these need to replicate the work they do in their day-to-day. They should be assessed before and after training programs, and only those with verified security skills given access to more sensitive projects and repositories. Forward-thinking CISOs endorse learning activities and skills verification that are incentivized, offer some prestige, while also ensuring safer coding practices and access control.
Benchmarking security skills is key to next-level secure development
We must place collective effort into addressing and uplifting developer security skills, with precision not previously afforded to this significant piece of the cybersecurity puzzle.
CISOs must lead from the top in empowering their organizations to benchmark and optimize security performance, setting a standard for future security programs that achieve business outcomes and exceed the current status quo.
