COMMENT
While cybersecurity has always been a critical area for organizations that write their own software, we are rapidly approaching a near-perfect storm of various forces that are raising the risk profile of these organizations to unprecedented levels. Organizations that do not respond with implementation certainly by design programming tactics for everything they create risk being swept away by a new ocean of threats and dangers.
We all know it is the threat environment was steadily deterioratingwith everything from organized criminals to groups backed by nation states now competing with solo and professional attackers.
Few organizations can successfully respond every time they are attacked by an advanced threat, much less pay the millions in cleanup costs. But the situation is even more critical because the shortage of qualified cybersecurity personnel is more acute than ever. AND Korn Ferry study estimates that by 2030 there will be 85 million unfilled jobs in the world. And since technical fields that require advanced skill sets — like cybersecurity — will be some of the hardest hit, companies won’t be able to simply hire new candidates to improve their security posture.
Finally, the regulatory environment is beginning to change in a potentially unfavorable way for those who write code. Driven by heightened caution among consumers who are tired of having their data stolen due to poor security practices, the Cyber Security and Infrastructure Security Agency (CISA) recently released its strategic plan 2023–2025. The CISA plan requires that the technology be designed to reduce the number of vulnerabilities before it is introduced to the public. While the recommendations in the plan are now only proposals, there is a very real chance that some of its elements will be codified into law.
Facing the challenge of the perfect security storm
While various factors make the situation more complex than ever, companies that build their own software are in a unique position to face a new challenge by leveraging an incredible resource they already have: their developers. By empowering, upskilling, and retraining their developers, organizations can help improve their security posture, write more secure code with fewer vulnerabilities, and comply with government mandates before they become unfixable.
Here are four ways progressive, smart organizations are already achieving that key goal.
Identifying real success criteria
Training without well-defined goals is only minimally effective in improving skills. When implementing a good cybersecurity training program, it should be laser-focused on predetermined business drivers and goals. For example, in our experience, the top three business drivers include compliance, risk reduction, and productivity. Desired goals after training must be well identified in order to further define a good training program.
Recognizing Safety Champions
A security champion is not necessarily the best developer, although having those skills can help. The best security advocates are those on the development team who take an active interest in security and want to help others learn about the latest best practices and techniques.
The most successful organizations spend time identifying their champions – meanwhile, programs without champions risk never achieving those defined long-term business goals.
Introduction of incentives
It is true that training and development programs will represent, at least initially, an increased workload for already extremely busy developers. This can be especially true for those safety champions who help anchor the program. As such, providing incentives and rewards shows how valuable a developer’s contributions are to the company — and how much they are valued.
There are different types of incentives. Yes, budgets are always limited, but given that one is a hit or miss a data breach can cost more than $4 million, investing a fraction of that in people working to avoid that fate is a smart decision. We’ve also found that many developers respond even better to things like getting privileged access to better projects, new job titles, and more freedom to work with fewer barriers as their skills improve.
Measuring success
Even with a well-planned program, there may be unexpected pitfalls or areas that need to be adjusted. Initially, the best measure of success is developer participation. Assuming the entire program is not made mandatory (something we discourage – developers should want to attend training and receive incentives to participate), then participation levels will be a significant factor to measure.
In addition, you should be able to measure how successful you are in meeting those clearly defined business objectives. For example, if a scan reveals fewer vulnerabilities in code written after training, and your goal is to reduce risk, then the training program meets your core business goals.
Several factors work against software companies these days that make it nearly impossible to weather such a perfect storm. However, those who look to their developing communities and empower them with highly targeted training programs can rise above the storm, thriving where others might falter.