On the surface, it might not be obvious why developers need CISO guidance. Most developers spend their time knee-deep in code, building software to help enable business outcomes. They don’t typically have a major focus on security; they might even view security as an impediment due to past experiences. But peel back the curtain, and it becomes clear why CISO guidance is needed.
Developers are producing software that is driving business value in our modern digital business ecosystem. These businesses are governed by a myriad of compliance, privacy, and other regulatory requirements in which most developers aren’t well versed — but the CISO is. In this analysis, I’ll lay out five ways in which CISOs and developers can work together to maximize the security posture of their organization as new software is created.
Which companies are the most important vendors in cybersecurity? Click here to see the Acceleration Economy Top 10 Cybersecurity Shortlist, as selected by our expert team of practitioner-analysts.
Enforce Security and Compliance
The CISO can guide developers so that they understand security and privacy requirements for the applications they develop and how those applications use data. This is particularly important for data types such as personal identifiable information (PII), protected health information (PHI), and payment card data. Developers are likely not as familiar as their security peers with regulatory requirements around data types since it is the CISO and security teams’ job to be current on regulations and ensure regulatory compliance on behalf of the business.
Deliver Business Enablement
One of the most critical functions that CISOs perform is business enablement, and their work with developers is a prime example of how they can deliver on that priority.
For some time now, we’ve heard calls for security to work as an enabler and not a blocker of business initiatives. CISOs and their security teams can work with the product and development teams to create new ways to ensure software is secure. They can do this by building protection measures into processes for developing and deploying software.
This may include hardened endpoints, continuous integration and continuous delivery/deployment (CI/CD) pipelines of security tooling, and controls to protect sensitive data. This improves developer experience by ensuring not only that code gets to production but that it does so securely, aligned with organizational security and regulatory requirements.
Protect Developer Workstations and Tools
An often overlooked but critical part of enterprise security is the hardware — workstations and tools — used by developers in their everyday work. Often, hackers or bad actors will not go to production systems first. They know there are organizations that have development systems with access to production environments. In addition, many developers have elevated permissions and may have corporate certificates for testing purposes. From a developer’s perspective, it can be comforting to know there is a larger team, the CISO’s team, helping secure the myriad of development machines and environments.
Secure Corporate Data Stores
Developers will usually appreciate and want to work with the CISO to reduce risks from disparate data and code assets. Elevated developer permissions and development environments can also be an issue in securing corporate data stores. Many developers have credentials to databases and sometimes backups as well. Often the databases are copied on a regular basis to development database servers. Some developers may be building for a secure private cloud but, in an effort to reduce cost, testing using a public cloud, highlighting the complexity and potential risks that need to be managed.
Identify Insider Threats
Regular communication between the CISO and developer leads or teams can also assist in spotting disgruntled employees. Many hacks and leaks are initiated by people inside the company. A disgruntled developer with access to an organization’s certificates, secrets, and data can be a particularly problematic scenario. If developers are regularly communicating with the CISO, the CISO may be able to eliminate threats from disgruntled employees by spotting them sooner. From a developer’s perspective, such communication can open avenues for the resolution of issues that may be interfering with productivity.
Building a collaborative approach between security and development teams alleviates some tension between the development and security teams and helps break down silos, which is a common theme with the continued push for DevSecOps and its objective to break down barriers between development, security, and operations teams. CISOs can help build this rapport through efforts such as security champions programs, brown-bag and educational sessions, outreach. Effective security enablement is quite possibly the best measure to fuel collaboration.
Paul Swider, founding CEO of healthcare tech startup RealActivity and Acceleration Economy analyst, also contributed to this analysis.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: