Can You Hear Me Now? Addressing the Communication Gap Between Development and Security Teams
As many organizations probably already know, development and security teams have a communication problem. That is, oftentimes they are communicating poorly—or not at all. This presents a big problem for any organization looking to succeed with DevSecOps and deliver secure products.
If security and development teams are working independently of one another—or even worse, at odds with one another—that could lead to significant problems with regard to product security.
Security Suffers When Security and Development Fail to Work Together
A report by research firm Ponemon Institute in 2020 finds that organizations are at risk when product security and development don’t have a common vision for delivering software capabilities needed by the organization business securely. Security must be integrated throughout the product development process, according to the study. As businesses push developers to build and deliver code on a continual basis and at a rapid rate, the perception of security as a hindrance emerges, it says.
As part of the research, Ponemon Institute surveyed 581 security practitioners who are involved in and knowledgeable about their organization’s application security activities, and 549 who are involved in and knowledgeable about their organization’s software application development process. 77% of developer respondents said the cultural divide affects their ability to meet deadlines and 70% of the security respondents said it is putting the security of applications at risk.
A large majority of the security respondents said the state of security is undermined by developers who don’t care about the need to secure applications early in the software development lifecycle.
Overcoming The Different Goals of Security and Developers
It’s clear that the two factions do not always have the same goals for success. Developers are looking to create innovative software products quickly, leveraging automation to speed up processes as much as possible. The security of the finished products is not typically uppermost in their minds.
The security team, on the other hand, wants to ensure that code is secure and as devoid of vulnerabilities as possible. This can help ensure that the final software product is safe to use, but can also slow the pace of development.
These and other differences can create lots of friction, which in turn can lead to turf battles, lack of cohesiveness, and even lower-quality products. Given this scenario, organizations need to make sure that the teams take steps to break down any barriers that exist and learn to understand each other better.
One good practice is to find common ground between the two areas. Discovering and fixing vulnerabilities—or preventing them in the first place—should be a shared responsibility of both the security and development teams.
After all, good quality software should arrive in production or on the market with as few vulnerabilities as possible, and it’s in the best interest of both teams to see that it does. Once they fully realize this commonality, they need to collaborate to determine the best ways to address vulnerabilities that works for each team.
Time Together For True DevSecOps Communication
Just getting together to resolve security/development issues, in fact, can help bolster relationships. If members of the two teams meet on a regular basis, they might tend to develop greater empathy for each other and learn to be more flexible. They might come to realize that they’re working toward a common goal and seek ways to cooperate more.
Deploying DevSecOps and leveraging DevSecOps automation can play a major role in fostering teamwork among developers and security professionals. The idea of bringing products to market not only quickly but securely as well should appeal to both groups.
Another key to success is having senior-level executive support for initiatives that bring security and development teams together. CISOs would be a natural choice to lead the efforts, given their overall responsibilities for ensuring all aspects of cybersecurity and their involvement in DevSecOps. But CIOs, COOs, or other senior executives could also lend support to such efforts.
As the Ponemon Institute noted, senior leadership must create an environment that encourages teamwork, collaboration, and accountability. Most organizations are not actively taking steps to encourage security and development to work more effectively as a team, it said. Only 36% of security respondents and 45% of developer respondents think their organizations’ senior leadership is aware of this problem.
That has to change, and leaders need to grasp the importance of having security and development teams work as a cohesive, harmonious unit. With so many organizations advancing their digital transformation efforts and introducing new online services, it’s more important than ever that these two factions not only get along, but excel through effective collaboration.