Does your developer team have an (enterprise security) attitude?
You may have a ‘personal attitude’ when pushed to certain limits in a social situation, but what kind of ‘total enterprise attitude’ (TOA – not a real acronym, but it could be) to cybersecurity does your software engineering team have?
This is the question that software security solutions integrator (SSSI) company Optiv Security set out to answer when it launched its independent research report entitled ‘Enterprise attitudes to cybersecurity: Tackling the modern threat landscape’.
So then we need to look at the key ‘findings’, but there’s a problem.
When it comes to ‘survey findings’, we can typically replace the term with contrived pre-configured survey results that align to the sponsoring company’s core message set based on loaded questions posed to a carefully defined audience likely to provide the desired end results.
But actually… some of this stuff is cerebral and remarkably non-corporate i.e. it was found that external factors such as security breaches covered in the news and changes in legislation and regulation were the top influences for cybersecurity strategies — and that IT professionals are often [only] fixated on being reactive.
First mindsets
In the research, two distinct tribes of IT decision makers were uncovered: ‘Protect First’ and ‘Business First’.
Protect First represent the nearly half of businesses (44%) who claim to put cybersecurity above all else, even if it slows down user productivity. They’re fixated on threats, perhaps at the expense of business transformation and wider business goals.
But how should IT managers instill a Business First mentality among software application developers who really won’t have bottom line company finances at front of mind? After all… these are guys (all genders) who simply care about app functionality, speed of data throughput and where the next pizza is coming from, right?
In answer to this exact question John Bock, VP of application security, Optiv, explains that, “This as mainly a culture issue – at companies where development is the core of the business, developers are often immersed in the cultural attributes that management wants top of mind. If we focus solely on introducing financial awareness, developer activity is going to be structured as a set of tasks that are tracked and can be measured. So, if a particular developer or development project is becoming a drain on the business, that should be apparent and can be corrected by management.”
Optiv also found that nearly two out of three U.K.-based IT and security decision makers say their security programme is continuously reactive due to constantly changing legislation, threats and other external factors.
Coder mentality shift
So how do you move coder mentality from continuously reactive to continuously prescriptive, predictive and preventive? Is it simply a question of beating it into the engineering team, or do you need to pay them off with extra soda rations? What’s the answer.
Optiv’s Bock says that when ‘continuously reactive’ gets mentioned in relation to a development team it’s typically because a group is operating without a defined process and toolchain.
“It can also be an application where the bug backlog is so large that they simply can’t get ahead of it. There can definitely be times where the application is poor quality and due to outlying circumstances, like a handoff from a contractor or a different team, there needs to be a specific effort to determine why they have to keep reacting to new incoming defects on a constant basis,” said Optiv’s Bock.
The “Enterprise Attitudes to Cybersecurity: Tackling the Modern Threat Landscape,” report also found that the proliferation of mobile applications has either a major or significant impact on 79 percent of businesses – even more so than the need to understand gaps in their current security programmes.
Business buy-in
The research further suggests that wider business buy-in is also a challenge. Nearly three in five IT leaders feel that obtaining buy-in for their security programmes is tough, primarily because of a lack of understanding from the board.
So how does Optiv think that – once the board does exhibit buy in – that acceptance should be translated over to the software engineering workshop?
Bock thinks that if the business is presenting an application concept to the board without consultation with the engineering shop, then that would be unusual and a ‘bit broken’.
“The proposal would not have validation that the product concept is feasible, is compatible with the rest of the business systems, how long it would take, or how much it would cost. It’s rare for the development group to fail like that unless the project requirements were off by a large margin,” said Bock.
Optiv worked with London-based research agency, Loudhouse to complete this report. Loudhouse conducted online interviews with 100 U.K.-based IT and security decision makers at enterprise businesses (1000+ employees), to understand their current strategies, challenges and aspirations with regards to cybersecurity.