Caught between an increasingly complex threat landscape and an ongoing shortage of skilled security staff, many Chief Information Security Officers (CISOs) are feeling the pressure.
Unable to secure the resources they need, many are turning to other areas for help. One that can deliver significant assistance yet is often overlooked is an organisation’s software development team.
This approach is being taken within organisations even at a time where the official corporate line is that ‘security is everyone’s responsibility’. This is because there are limits to what untrained and unmotivated workers – especially those who don’t work in IT – can do to make their organisations more secure against cyber threats.
Within a company, it’s one thing to make everyone aware of cybersecurity, but another to educate them to make their organisation more secure within the context of their role or to use the defensive tools they already have in place to counter threats and squash vulnerabilities.
To achieve this, companies need to invest in upskilling. It’s far better - and oftentimes easier - to invest in the talented, loyal staff who are already a part of an organisation than to try and hire new people from outside. But even then, putting those learning resources in the best place to get the required results is key.
Clearly, developers already understand IT since they write much of the code for the programs being used by their organisations. Also, they are often ready, willing, and able to upskill in cybersecurity to help make them even more amazing at their jobs.
Smart CISOs are tapping into this enthusiasm and providing developers with the education pathways they want and need, with the payoff being a reduction in common vulnerabilities and a lowering of the pressure on overworked AppSec personnel.
The best CISOs know that upskilling is critical to success. But not just any training will do, especially for the development community that already has a good baseline understanding of IT. A ‘tick-the-box’ program won’t offer much return on investment and will likely frustrate developers into poor performance and a lifelong hatred of working with security teams.
Likewise, any solution that impedes their workflow fails to stay agile with enterprise security goals, or cannot deliver the right education at the right time in an easily digestible format, is unlikely to result in foundational security awareness or skills.
Other tactics of successful CISOs
Leading CISOs are also able to address other key pain points that traditionally hinder good cybersecurity programs, such as the relationships between developers and application security (AppSec) teams or how cybersecurity is viewed by other C-suite executives and the board of directors.
For strong AppSec relations, good CISOs understand that developer enablement helps to shift security farther to the so-called left and closer to a piece of software’s origins. Fixing flaws before applications are dropped into production environments is important and much better than the old way of building code first and running it past the AppSec team at the last minute to avoid those annoying hotfixes and delays to delivery.
However, this approach can’t solve all of AppSec’s problems alone. Some vulnerabilities may not show up until an application gets into production, so relying on shifting left in isolation to catch all vulnerabilities is impractical and potentially costly.
There also needs to be continuous testing and monitoring in the production environment, and sometimes apps will need to be sent back to developers even after they have been deployed. A great CISO with a foot in development and security can smooth out those relations and keep everyone working as a team.
Getting other C-suite executives onboard with better security might be an even more difficult challenge, with leadership outside the CISO and CIO normally looking at business objectives and profits before anything else.
To counter this, superstar CISOs know how to show a direct correlation between better, more mature cybersecurity and increased revenue and how it can even provide a competitive advantage against the competition.
The challenges being faced by CISOs are significant but not insurmountable. Those who are able to master adversity can become true superstars within their companies and communities. They competently employ agile developer upskilling, champion security culture, and streamline relationships between the traditional rivals of development and AppSec teams.
Above all, they foster a security-first approach from the top down which will benefit everyone.