How to Get Developers on Board with Security
February 16, 2016 | DevOps | joanna mastrocola
Getting developers on board with new security initiatives can be tricky. Developers want to innovate and since their performance is based on their productivity, security is often viewed as a hindrance that cripples their ability to excel. As the technical landscape has become increasingly more aggressive, and enterprises need to keep up with their competition, slowing down isn’t an option.
Data breaches are now commonplace, and it seems that every week more sensitive customer data is left vulnerable. The negative media attention associated with data breaches has finally caught they eye of high level executives and they are pushing for change. For the first time in years, security is becoming a mainstay in the business conversation. What does this mean for the security and risk professional? Security is now everybody’s headache. It is your job to make sure that everyone is excited and willing to follow the security best practices that you develop. Sounds easy, right? Well, it isn’t. Security isn’t necessarily a sexy sell, especially when you are trying to sell it to someone whose job is to make cool stuff. However, as security becomes more closely scrutinized, it is crucial that developers get on board. So, how do you get your developers to care about security. Here are 6 tips to get you started.
1. Security Comes From The Top
Make sure top level business executives understand how important security is to the the success of the organization. Once they understand, have them communicate this importance to the entire organization. They should be talking about security in company wide meetings and using security terms in internal literature. If high level executives are painting security as a priority, it will be perceived as such, and will therefore become a point of concern for every person operating in the business. It is one thing to push for greater security as a security and risk professional, however, having security discussed at the very top, among executives that otherwise aren’t involved in the tech side of things, will help to enforce the idea that security is everyone’s responsibility and is a measured benchmark of success for the enterprise.
2. Put your Money Where Your Mouth Is
If you are going to make security part of the developers’ responsibility, you must provide them with the necessary budget for the resources and tools they need to get the job done. If security is a business priority, each department should be given proper budget to allow them to purchase the tools they need to succeed and continue innovating.
3. Create a Well-Thought-Out Security Program
Make sure you engage with developers and create a program that outlines how important security is to the organization, the impact it has on business, and how security can be weaved into the development process. Be mindful of the struggles that development will face in learning new tools and changing their processes. With these hurdles in mind, craft proper training for these new tools and set up regular meetings to make sure things are going according to plan. When developing your security program, be sure to include information about recent data breaches that came from vulnerable code- this type of practical, real world information will be key in getting developers passionate about secure innovation.
4. Understand It’s A Process
As a security and risk professional you must communicate that security is a process with many different pieces; development is one of those pieces. Therefore, each step in the development process should be made more secure. Have multiple security assessments during the various stages of the development cycle. By re-evaluating at each step, you can easily determine where bugs pop up, come up with ways to lessen those flaws earlier in the process, and better ingrain security in every part of the process.
5. Encourage Accountability
Make sure developers are held accountable for hitting specific security metrics and acting on the security protocols you have put into place. Reward them for their contributions, recognize their successes, and make sure security is part of their yearly evaluations.
6. Talk About It
Encourage developers to communicate with one another, the security team, and other groups within the organization. Promote an open dialogue during which questions, criticisms, and new ideas are equally welcome. Understand that there is no one, perfect security path and that changes will be made each step of the way. Continually reevaluate what is working, and what isn’t, based on the feedback you receive from the dev and security teams. Iterate on these processes until you find the system that works best for your enterprise.
For the security and risk professional, aligning development with security is a difficult, but invaluable part of the process. Have a pulse on everything that is going on in the organization, including the struggles, pressures, and successes of the development team. Keep in mind that management has made innovation and faster time to market a priority for developers…things that security can very often, slow down. However, in making security a priority across the organization, and establishing a more secure enterprise as a benchmark of success, developers will be much more likely to remain vigilant in following the specific security metrics as outlined in your program.