HugOps and Hopium: how to get developer and security teams working together
With nearly 3.5 million cybersecurity jobs to fill worldwide by the end of 2021 alone, there’s a massive gap in cybersecurity talent. Part of this is academic, since the process to jump from developer to cybersecurity expert is arduous and expensive. But the other side is cultural, with a tension between developers who want to build cool things and security teams who want to keep things safe.
On a recent BetaKit Live panel, John O’Brien, Security Lead, Customer Success at Microsoft Canada; Dave Burnison, Technical Advocate at GitHub; and Cara Wolf, CEO of Ammolite Analytics, discussed what’s causing the disconnect between developers and security, why the necessity of cybersecurity demands a solution now, and how to bridge the gap.
A growing but unnecessary rift
Right now there’s no clear academic path to study cybersecurity. Students must first get a computer science or engineering degree, then apply for additional niche programs, often at a significant extra cost. Most developers skip this step and go straight into the workforce, missing crucial cybersecurity training.
Once in the workforce, cybersecurity teams are often siloed from the rest of the business, seen as a compliance step rather than part of the development process. As a result, they are often pit against developers – and vice versa. Wolf sees this as a failure of education that results in hurting the career trajectory of more junior people who otherwise would be interested in cybersecurity.
She said that industry shies away from hiring juniors because they aren’t taught security by design as part of their education, which compounds their need for mentorship and sponsorship. RELATED: Skilling for Security: Forging the workforce of the future “We really do need to include security by design in any and all training as well as in professional development when we bring the young devs up,” said Wolf.
To O’Brien, the result also causes unnecessary pressure for both developers and security teams. “One of the things we forget is that developers are people just like us,” said O’Brien. Coming from the perspective of working in both development and cybersecurity, O’Brien explained that developers have a lot of pressure to get something done quickly.
So when security is not built into the process and they run into the “brick wall that is typically security,” they hit unhealthy friction. “If we blame them for doing what we’ve told them to do, then I don’t see how we’ll ever really step back and fix the problem, or even understand the problem,” said O’Brien.
Smarter cybercriminals demand smarter cybersecurity
While the cybersecurity talent gap has existed for a while, it’s wider than ever at the worst possible time. Wolf said a significant portion of leaked and stolen records were software related, going beyond a company’s core product and into the broader ecosystem of platforms that employees use on a day-to-day basis.
“This has got to be something that is looked at in the entire supply chain,” said Wolf. Wolf noted that there’s also pressure from customers demanding more security from companies. While she supports these demands, she also said customers need to be willing to pay for it, as hiring strong teams to build secure products will cost more than taking shortcuts.
RELATED: Best Practices for Integrating Security with DevOps O’Brien, on the other hand, noted a silver lining: with the costs of ransomware becoming very clear, it’s easier to make a business case for investing in security. Previously, he said, security professionals had a hard time explaining the value of security.
Now, they can point to explicit costs such as paying a ransom or paying for recovery versus investing in security up front. Investing upfront is also becoming a necessity for some cyber insurance, said Wolf, where underwriters won’t provide a policy unless a business can prove it is already investing in its security.
HugOps and hopium
Looking toward solutions, the panel discussed some strategies for businesses to bridge the developer-security gap in their organization. Building a healthy security culture: Burnison recommended that businesses focus on delivering value to end users, which will inherently include security.
In order to get to this focus, he said companies need a culture that supports employees versus blaming someone if something goes wrong. “It’s about looking at things through a blameless post-mortem,” said Burnison. “Not to say who broke it but what went wrong.” O’Brien added that a good security culture is prescriptive.
Instead of security teams only pointing out problems, he recommended that security teams give developers the steps to fix the problem. This is part of a larger trend that O’Brien hopes everyone realizes: all employees have a part to play in security. “You have to get out of the mindset where security professionals are the only ones who can think about risk,” said O’Brien.
Don’t be afraid of third parties: Wolf said that a good third-party analyst will not only tell you how to improve your systems and plug non-obvious gaps, but they also are a crucial buffer for junior employees who might be otherwise afraid to speak up. Third-party partners can hear concerns confidentially then either raise the point on their own or coach the junior employee on how to present the information effectively to senior leadership. “I think it’s critically important to have a third party come in and look at your organization,” said Wolf.
Manage with grace, but also to expectations: Wolf added that while it’s critical to not blame someone every time something goes wrong, startups need to be wary of the pendulum swinging too far in the other direction toward a place where companies are “smoking hopium” and tolerate incompetence. “We have to stay competitive, we have to stay profitable, and we have to work in those parameters or we’re not going to exist anymore,” said Wolf. To Wolf, managing with grace toward expectations means training employees well so they don’t make repeated mistakes.
However, if employees do, then they need to go. “You can’t afford incompetence,” said Wolf. “Nobody can.”
Teamwork makes the (cybersecurity) dream work
A key way to make cybersecurity more ingrained in company culture is to break down work silos and focus all work on the customer. O’Brien said that a customer focus will inherently include cybersecurity, among other concerns like usability and accessibility, because those details matter to customers.
O’Brien then explained Microsoft’s approach to this problem, called One Engineering System (or “1ES” for short). Within 1ES, cross-functional teams are put together to build specific products versus in traditional departments like design, development, and security. Within this system, everyone is working toward the same goal of building a valuable product for customers.
Burnison, who worked at Microsoft before moving to GitHub, added that it creates a great exposure opportunity for employees. Developers get to see more of how to embed security as they build, while security teams get exposure to market-driven decisions as they are being made, giving them a way to speak up for security-by-design. Wolf agreed with this approach, adding that it brings everyone together to not only build secure products, but build market-driven products that will help companies with revenue and profitability goals.
“It’s the responsibility of the entire ecosystem to understand the nature of the threats against us and how we all respond as a civilization and as an ecosystem,” said Wolf.