COMMENT
While cybersecurity has always been a critical area for organizations that write their own software, we are rapidly approaching a near-perfect storm of various forces that are elevating the risk profile of such organizations to unprecedented levels. Organizations that do not respond by implementing safe by design programming tactics for everything they create are at risk of being swept away by the new ocean of threats and dangers.
We all know that the the threat landscape has steadily worsenedwith everything from organized crime to nation-state-backed groups now competing with lone, professional attackers.
Few organizations can successfully respond every time an advanced threat attacks them, much less pay millions in cleanup costs. But the situation is even more critical, as the shortage of qualified cybersecurity personnel is more serious than ever. A Studio Korn Ferry It is estimated that by 2030 there will be 85 million unfilled jobs worldwide. And since technical fields that require advanced skills, such as cybersecurity, will be among the hardest hit, companies will not be able to simply hire new candidates to improve their security. posture.
Finally, the legislative environment is starting to change in ways that are potentially unfavorable to those who write code. Fueled by deep mistrust among consumers tired of having their information stolen due to poor security practices, the Cybersecurity and Infrastructure Security Agency (CISA) recently released its report Strategic plan 2023-2025. The CISA plan requires that the technology be designed to minimize the number of vulnerabilities before being presented to the public. While the recommendations in the plan are merely suggestions at this time, there is a very real possibility that some elements of it will be codified into law.
Meeting the challenge of a perfect security storm
While various factors make the situation more complex than ever, companies building their own software are uniquely positioned to meet the new challenge by tapping into an incredible resource they already have: their developers. By empowering, improving, and reskilling their developers, organizations can help improve their security posture, write more secure code with fewer vulnerabilities, and comply with government mandates before they become non-negotiable.
Here are four ways progressive and smart organizations are already achieving this critical goal.
Identification of actual success criteria
Training without clearly defined objectives is only minimally effective in improving skills. When implementing a good cybersecurity training program, it should be focused on predetermined business drivers and objectives. For example, in our experience, the three most common business drivers include compliance, risk mitigation and productivity. Desired post-workout goals must be well identified to further define a good training program.
Identification of safety champions
A security champion is not necessarily the best programmer, although having these skills can help. The best security champions are those on the development team who have an active interest in security and a desire to help others get up to speed on the latest best practices and techniques.
The most successful organizations take the time to identify their supporters, while programs without supporters run the risk of never achieving their defined long-term business goals.
Distribution of incentives
The truth is that training and upskilling programs will, at least initially, represent an increased workload for already extremely busy developers. This can be especially true for safety champions who help consolidate the program. Therefore, providing incentives and rewards shows how valuable developers’ contributions are to the company and how much they are appreciated.
There are different types of incentives. Yes, budgets are always limited, but given that a single breach or a success Data breaches can cost more than $4 million, investing a fraction of that sum in the people working to help avoid this fate is a smart decision. We’ve also found that many developers respond even better to things like getting preferential access to better projects, new job titles, and more freedom to operate with fewer barriers as their skills improve.
Measuring success
Even with a well-planned program, there may be unexpected pitfalls or areas that need to be optimized. Initially, the best measure of success is developer participation. Assuming the entire program hasn’t been made mandatory (something we discourage – developers should want to go through training and receive incentives to participate), participation levels will be a significant factor to measure.
Beyond that, you should be able to measure your success in achieving those clearly defined business goals. For example, if scans reveal fewer vulnerabilities in code written after training and your goal is risk reduction, the training program meets your key business objectives.
Several factors are working against software companies these days, which can almost make such a perfect storm seem impossible to weather. However, those who look to their developer communities and empower them with highly targeted training programs can weather the storm, thriving where others might fail.