Before I moved to the cybersecurity field, I had been in the application development and innovation team for many years. There was one question constantly raised by our developers: “Does cybersecurity slow down my job?”
Very often, this question triggered a series of arguments on roles/responsibilities, authorities, priorities etc. In the end, the business leader (or the big boss) had to jump in and make a decision, which was usually a kind of compromise or patch. But the tension between the development and security teams was carried on, the conflict between innovation and cybersecurity seemed to be an unsolvable problem.
Being someone on both sides of the world, I’d like to share some of my experience and thoughts. Hopefully, it will help you form a better strategy or solution.
What are the problems?
First of all, let’s hear some complaints from both teams:
Development & Innovation Team
- The security guys always say “NO” – they just try to play safe and take zero risks. For any new things we try to use, such as open source frameworks, cloud computing, external web services, or a new development tool, they just simply reject us by quoting some existing security policies.
- The security guys delay our releases – We are working on a tight deadline to deliver the important functions. To address these last-minute security issues, we will have to double our resources and let everyone work during the weekend.
- The security guys are troublemakers – they come in and run some scanning tools against our systems. Then dump to us a 200+ pages report with insane numbers of vulnerabilities. It takes us forever to just read and understand them.
Information Security Team
- The developers don’t care about cybersecurity – Under the name of innovation, they have no respect for our security policies, standards, and procedures. They just choose the approaches or tools which are more convenient, easier or faster without considering any security implications.
- The developers make too many mistakes – We find so many security errors or issues repeatedly in their codes, systems, tools, or processes. They seem to never learn their lessons.
- The developers are troublemakers – They just like to do things new and cool. The emerging technologies they are embracing, such as cloud computing, big data, mobile apps, IoT, AI, blockchain, are creating huge gaps in our existing security programs.
What are the root causes?
In my mind, the constant tension between the development and security reflects three fundamental gaps in our tech industry as follows:
1. Culture Gap
While you hear more and more cyber breaches on the news nowadays, the “Cybersecurity” is usually not the top priority for many businesses. The executive and board members are mandated to generate more revenues, deliver new products/services, and establish brand names. Their focus is to move fast and do more with less. As a result, many traditional companies including banks are now considering themselves as technology companies driven by the innovation.
The problem is, while they are aiming for disrupting the industry, cybersecurity often becomes an after-thought. This approach brings huge risks in the long run. But the senior management team is pressing to deliver new initiatives, which inevitably sends the message to the whole organization. The so-called “Security Awareness” is hard to be established in the company culture until a major breach happens (e.g. Equifax). But this is often too late.
2. Skills Gap
The biggest challenge to the cybersecurity industry is lack of talents. It is estimated that we need 2 million more security professionals within the next few years. But when coming to the skills, it includes not only technical skills but also business skills such as communication, negotiation, and project management.
The security people trained by the old school will only talk about things such as firewall rules, vulnerability assessment, application white-list. While these are still very important today, the new generation of cybersecurity professionals will need to understand the business needs, communicate effectively with the management, and collaborate with internal and external stakeholders. At the end of the day, a successful cybersecurity program is designed, implemented, and maintained by everyone rather than one or two security specialists.
3. Process Gap
Companies have tons of existing procedures or workflows for years. It is very interesting to see many of them have another name called “Best Practices”. But as we all know, the tech industry is moving remarkably fast. Something worked yesterday may even become a hurdle to the growth today. This includes the classic software development life cycle (SDLC) and project management process.
Three concepts are evolving rapidly related to the application security: Security by Design, Secure Coding, and Secure DevOps. A modern agile team must adopt them in their innovation and development process to meet the increasing needs of cybersecurity.
What can we do?
This is a million dollars question (or 100 bit-coins?). Admittedly, it will be impossible to offer a magic bean to solve all the troubles we have. But there are some basic things you can start with. And if you do it properly and consistently, you will gain some of the competition edges.
Empower Your Cybersecurity Catalysts
Notice I did not say CISO, Director of IT Security, or Security Manager here. While you rarely hear the “catalyst” position in a company, they are the people who are passionate about the cybersecurity and commit to advancing it as much as they could. A cybersecurity catalyst might not be the expert in each field, but they will connect the dots, break the silos, and collaborate with the internal/external experts to build a mutually supportive culture. In fact, this is the environment we must have for the innovation!
Train Your People on Secure DevOps
DevOps itself is not a new term anymore, however, incorporating the security into it will give you the complete workflow seamlessly integrating the Development, Security, QA, Release, and Operation. More than just a process, the Secure DevOps advocates:
- Define the cybersecurity requirements clearly at the early stage of the development
- Automate the repetitive tasks including security scanning, validation, and tracking
- Facilitate the communication and collaboration among various teams such as development, security, and product
Assign a Security Master in the Agile Development Team
Scrum is the defector agile methodology for many development teams. It usually consists of the roles of Scrum Master, Product Owner, and Scrum Team Members. With cybersecurity becoming prominent to the product development and innovation, we may want to add a new role, Security Master, to the team.
Security Master is not someone shows up only at the end of each sprint to check developers’ work. They act more like a Product Owner to consult, validate, and recommend best approaches in the security areas. In other words, they are the true stakeholders in the team, they share the joy and sadness with the team, and they appreciate the innovation and strive to drive the success of the product development.
Unlike many other industries, cybersecurity is not just a technical or IT problem. The success of any cybersecurity programs largely depends on people, specifically people’s awareness, perception, and understanding of security.
I am the strong believer in training and continuous education. Does cybersecurity slow down your innovation? It really depends on who is in charge. Find the right leaders/catalysts/professionals, train and treat them well, and they will bring both security and innovation to your business.