The answer is not about scaling or adding more security heads to the organization. But it again comes back to our mindset as to
- Who would I partner with?
- Who are the stakeholders?
- How can we change the mindset?
- How can we have a well-defined software development lifecycle process?
- How can we have proactive security in the CI/CD pipelines?
And this is a conversation just to be had within the business units, within the functional groups. But I’m also hearing about this in boardrooms, where we discuss SDLC; we understand the options. We are trying to understand how well it is adopted, not just by the board members but as a culture that would shift the organizations. It is also about taking it forward and going ahead and implementing it in the same way in the development communities.
With security, there are checklists and many more changes. How do we enable them to move faster without having room for slowing down? Dev teams are saying they need more automation.
Bring that mindset and have the right checklists, let’s say OWASP 10, that go ahead and call out injection or cross-site scripting or sensitive data exposure, which could be inadvertent or malicious, but making sure that all the code goes through those checks before it launches any features and production.
Continue to innovate at that mindset without again adding more heads within the security organization, but rather by enabling the rest of the business units to join this journey and making things easier by implementing the automation with partners.
I’ve seen that security teams continue to get pulled in and enable the developers to go ahead and ensure the security of that code. Sometimes, the security leaders have to go ahead and push for that paradigm shift. As we talked about automation, we are enabling the developers with the right tools and services.
We continue to see a pull-and-push model. You would rather have the developers come to the security teams to ensure they follow the best practices versus pushing yourself as a security leader in that conversation.
At some point in time in the future, it becomes a well-oiled, well-functioning process, where security through automation enables the developers to continue to build with speed, with various integrations that could be different security cultures, hygiene, best practices, etc., and all these that need to be implemented.
How do you implement it while making these culture shifts? By applying the hygiene and best practices and bringing third parties in to launch that automation.
I recommend adding more security by finding a role model team in the organization, latching on to them, and driving that culture.
Drive culture or bring security champions within the developer community to drive the change. Security champion is now becoming an industry-standard term that needs an evangelist, a champion within that business unit who goes through the training and the curriculum.
And then, with that role, they go ahead. Once they prove successful, the rest of the teams start coming in.
Enable the champions to hold their respective dev teams more accountable, probably with KPIs and metrics like scorecards to measure success. And are they calling those recommendations to measure our North Star metrics?
How do you go about measuring that? Let’s say no incidents happen because of vulnerabilities that could otherwise have been caught or the adoption of these services. With that, the security champions enabling the adoption of automation services to embed security early in the lifecycle could be a metric.
Enable them with the right education, train them appropriately, and then discuss various risk criteria like defining high risk versus medium versus low risk and enabling the right amount of sanity testing, unit testing before the code gets checked into production, or even counting vulnerabilities.
These are various measures of success that I call out as ways to change the culture, change the mindset, and embed security within the business units rather than just relying on a security organization to ensure platform security.
This model truly succeeds as an organization and grows in scale; you have to start spreading and instilling that security mindset across all product groups and business units.