Building a collaborative security-conscious culture

Matias Madou at Secure Code Warrior describes how CIOs can nurture a more effective cyber security culture

The threat to businesses from cyber-breaches and attacks continues to grow all the time. Analyst, Check Point Research (CPR) recently reported that the second quarter of 2022 saw an all-time peak, where global cyber-attacks increased by 32%, compared to Q2 2021. The average weekly attacks per organisation worldwide reached a peak of 1,200.

This highlights the fact that in a world where highly disruptive data breaches are happening every other day. All businesses are trying to avoid being tomorrow’s headline: no company can afford to compromise on security.

Developers need to be involved in this battle, and one of their core priorities should be creating secure code. Unfortunately, recent research indicates this is typically not the case today. Our State of Developer-Driven Security survey found that just 14% of developers consider security a priority when coding.

Feature-building is still king in the developers’ world and many of them remain ill-equipped to make security part of their DNA. This highlights the need for a rethink to create a more collaborative approach based on positive engagement.

How CIOs can help

CIOs can play a key role here in building this positive, nurturing culture around developers and ensuring they always have a focus on developing high-quality secure code. That’s core to their function.

CIOs, especially in large organisations, are rarely “on the tools” in terms of writing code. They do need deep technical knowledge, especially of networks, architecture, and advanced coding concepts. But despite this, their primary functions are more in the realm of leadership, strategy, and business innovation.

CIOs are responsible for orchestrating and upholding best practices, and that can include security best practices in conjunction with, or in the absence of, a CISO. Ultimately, they are in a highly influential position, setting the tone for acceptable coding standards, providing guidelines and carefully selected tools and training options that allow developers to meet stringent standards of security and quality.

A good CIO will focus time and attention on getting to understand how developers work and the common tech stacks they use. Choosing tools and training solutions that are not fit for the job will only hinder them and won’t have the positive impact on software quality that might be intended. This kind of understanding needs to be a key priority for any CIO.

Working together to tackle the security challenge

CIOs also need to understand the importance of integrating developers into the wider security consciousness of the organisation as a whole, and more importantly, ensure they are working closely with the security team to achieve a secure business environment.

That doesn’t always happen. Security teams and developers respectively are often overworked and carry out their duties in isolation from each other. That leads to duplication of tasks and in many cases, both groups are overworked. This cannot continue in the current climate of over 100 billion lines of code being produced each year, and cyber security concerns are a hot-button issue all over the world.

While developers are key to tackling the cyber-security challenge, they should never be left to work in isolation on it. Security should be considered everyone’s responsibility, with role-based priorities contributing to an overall solid security culture.

CIOs can have an important role in this instance by encouraging the two groups to work more closely together. With the security team collaborating with developers and the operations team from the very beginning, this is the best possible position to be in for vulnerability remediation and posture hardening.

Meaningful and effective collaboration starts with right-fit training and nurturing the skills required to get the job done. This is especially important for developers, who traditionally have little training in secure coding, nor are measured on their ability to write secure code. 

Having the development and security teams align on the same page and deliver safer software together is core to a viable cyber-defence strategy. CIOs need to get behind such an approach and make sure it is enforced within their organisation.

Many benefits are likely to spring from this co-operation between the two groups of workers. Security at speed is achievable when individuals are enabled to play their role and share the load in a functioning DevSecOps practice. Finding and fixing common vulnerabilities early, while taking the pressure off the security team, is far more efficient than fixing them late in the software development life cycle (SDLC) – or worse: after a terrible breach has occurred.

A strategy built on bringing together security teams and developers to nurture an ideal, collaborative environment is likely to go a long way toward ensuring that the business is successful in developing high-quality secure code. But even then, no CIO can afford to rest on their laurels. One of the biggest challenges is the speed at which technology changes, coupled with the insatiable demand customers inevitably have for digital solutions and software.

It is vital that CIOs are given the freedom to be transformative and innovative. Falling behind is not an option. CIOs need to be laser-focused on ensuring that their organisations are delivering optimum levels of security in the most secure way possible. That has to be their vision, but in delivering on the journey, it is crucial that they bring their developers and security team with them.

Matias Madou is CTO and Co-Founder, Secure Code Warrior

Main image courtesy of iStockPhoto.com