We live in a time of great flux, and, true to form, the cybersecurity industry keeps growing in complexity and scope. The AI revolution of the past 2 years has seen many enterprises scrambling to equip security leaders with the tools required to combat an increasingly borderless attack surface, not to mention growing governance and regulatory requirements demanding significant attention.
Few would envy CISOs faced with these circumstances. Still, while change can be challenging to navigate, the current security climate feels like the perfect time to embrace measures that will improve software quality and reduce risk for years to come.
I work with some of the most talented, resilient security professionals on the planet, and many of them are reinforcing their security programs to flex with the contemporary threat landscape, with their development cohorts positioned as the heart of risk reduction and vulnerability elimination.
Here is what they do differently, time and time again.
Chief Customer Officer at Secure Code Warrior.
One aspect of cybersecurity rarely discussed in depth, is the notion that code-level vulnerabilities are, at their core, a human-driven issue. They are so often perpetuated by poor coding patterns and bad habits that developers have picked up throughout their careers, and these shortcuts can have devastating consequences
Make no mistake: The blame does not lie with the development teams in any organization; it is indeed the fault of the industry as a whole, and our lack of suitable response to their upskilling need.
Bug bounties and security champion programs do go some way in creating security culture pillars within an enterprise, but this is rarely enough on its own. Every day I work with CISOs who are rising above the status quo, and they prioritize an approach that takes developers on the security journey, typically with executive buy-in for these internal programs.
Their developers thrive in an environment where Just-in-Time, relevant learning pathways are emphasized, as are tools complementary to their tech stacks. This helps to break down the significant barriers developers face in contributing meaningfully to organizational security goals, and paves the way for fair security-related KPI outcomes, as well.
They are assessed on security readiness and incentivized to improve
It is rather alarming that today, we live in a world that is essentially powered by software. The recent CrowdStrike outage proved just how easily a bug can bring critical infrastructure to its knees. Despite this, developers do not have a formal security certification or verification process that clears them to work on these vital and often precarious systems the same way an architect or mechanical engineer might.
Security leaders within organizations that are committing to a higher standard of software security resilience are taking steps not just to upskill the development cohort but routinely assess their security readiness. Perhaps a Java developer has proven themselves security-confident, but they want to be deployed on a Ruby-on-Rails project, where the skills may not necessarily translate.
A modernized security program can assess the individual, identify knowledge gaps, and pair that developer with the upskilling required to be successful, ultimately allowing them to expand their career horizons on the job, leading to higher job satisfaction and better security outcomes.
We must get to a place where data-driven insights inform rapid, high-impact company decisions; after all, the cybersecurity industry doesn’t sleep, and threat actors already have an unfair advantage over security leaders struggling with everything from the skills shortage to code monoliths that are an increasing burden within the codebase.
There is an organization-wide focus on software security and quality
One of the biggest pushes towards higher software security standards has come from CISA’s Secure-by-Design guidelines. This global movement was formed across multiple world governments, including the United States, United Kingdom, Australia, Canada, and Germany.
These guidelines promote the importance of shipping secure software from the start, and seek to establish ultimate ownership of security with software vendors, as opposed to their end-users. This is a significant break from the status quo, but, if executed well, it will assist in reducing cyber risk across the board.
The best security leaders are heeding this call, and pledging their commitment to higher software standards. For most enterprises, success will require a cultural shift that prioritizes role-based security awareness, and ongoing, hands-on support for the development cohort. However, there is no better time to get serious about uplifting internal security programs, and the sooner we do, the sooner we can point to meaningful improvements.
We’ve featured the best encryption software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
