Is good security the answer to team happiness?

Is good security the answer to team happiness?
Pieter Danhieux is co-founder and chief architect of the Secure Code Warrior platform, a gamified environment where developers and security testers can learn how to properly identify and fix security weaknesses in software. Until January 2015, he was part of the leadership at BAE Systems APAC in his role as head of delivery of the Applied Intelligence business unit. Before that, Pieter worked for seven years at Ernst & Young in Europe as one of their information security experts running a team of attack and penetration resources operating in the financial industry and telecommunication space. Pieter was one of the youngest persons ever in Belgium to obtain the Certified Information Systems Security Professional (CISSP) certification.

Nowadays, most businesses aren’t naive enough to imagine that they can manage without the most basic cybersecurity protections. However, they’re more likely to invest in such provisions after experiencing a direct threat or hearing a closely related business has suffered a breach.

This reactive approach to cybersecurity is costly — impacting not just the bottom line, but employee happiness and even customer trust. In reality, however, even a small investment in security during the early stages of the software development lifecycle can generate huge savings and make a big difference when it comes to employee wellbeing.

Vulnerabilities can have severe consequences 

When security is not front of mind, even the most experienced developers can produce vulnerable code. This is unsurprising, as developers are trained and paid to find solutions to application problems, and security upskilling is often deprioritised or absent. It is all too common for well-meaning developers (who know little about common vulnerabilities like injection flaws) to repeatedly introduce them into their code, completely unaware. What’s worse is the mindset that considers AppSec and InfoSec teams solely responsible for security, when in reality, best practice must make security intrinsic to the development process, and that responsibility should be shared.

This may not seem like an issue for the C-suite to contend with. However, the potential consequences of vulnerable code are too widespread to overlook — executives should undertake proactive measures to tackle the issue before a problem arises and mitigate risk. Repeated vulnerabilities not only increase the friction between development and security teams, but also extend the development lifecycle, in turn delaying the application release and increasing costs. In the worst-case scenario, the vulnerability leads to a data breach. Then, not only is the frustration amplified, but the far-reaching repercussions will touch dozens to hundreds of employees as the organisation faces profit loss, regulatory fines, inquiries, lawsuits, customer attrition and brand damage.

Keeping the peace

Closing the security gap is absolutely essential, but it mustn’t be achieved at the expense of your developers. It is possible to make everyone happy, and this starts with acknowledging that there are no villains in your defence teams — just a knowledge deficit that proper process can address.

Championing a cultural shift in the software development industry is essential to eradicate vulnerabilities. This starts at the top — executive leaders have the power to inspire a bottom-up transformation that drives secure code the first time it is written. Leaders can empower developers by helping them to understand the impact their secure coding practices can have on the overall success of the company. Organisations should also consider incentivising their developers to create secure code — it’s important to show how this skill set will help to boost their careers and make them more employable. 

It doesn’t stop there. Fostering the developer/AppSec relationship can create harmony, with each individual owning their role in safeguarding the organisation’s security posture and feeling part of a team that has one another’s backs in case of the occasional slip up. 

Finally, there are several different approaches to ensure that your developer team is a fully integrated part of the security solution. This might include paying for teams to attend relevant conferences or developing tailored in-house training programmes. Overall it’s important to embrace a more agile and dynamic approach, in order to discover the appropriate response and solution for your organisation. This will depend on a number of factors, including the size and pace of your development team and their current experience.

The true value of investing in secure developers

Finding the appropriate way to invest in security awareness and hands-on practical upskilling for your developers could make all the difference for both individuals and the organisation, impacting:

  • The software development lifecycle – improving security measures from the outset makes for a faster and more cost-effective process, ultimately opening the door to more frequent innovation
  • Employee satisfaction – with happier and more productive developers creating more secure software requiring less rework
  • Compliance – reducing the potential for data breaches means less chance of regulatory fines or other legal proceedings 
  • Reputation – a data breach could drive bad press and seriously impact customer trust, partner relations and ultimately damage the brand 

With such a high return on investment, what are you waiting for? 

(Photo by Chang Duong on Unsplash)

Looking to revamp your digital transformation strategy? Learn more about Digital Transformation Week taking place on 11-12 May 2022 and discover key strategies for making your digital efforts a success.

Tags: , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published.