CISOs have traditionally been in the unenviable position of leading the charge against cyberattacks, complying with regulatory requirements, and taking the lion’s share of responsibility when something goes wrong. While they are slowly, but surely, gaining more boardroom influence and peer support, the past 12 months have been especially hectic, with the explosion of AI tools in software development leading to significant legislative movements that the average enterprise is struggling to interpret and meet, not to mention an onslaught of new threats.
The cybersecurity skills shortage is well-publicized, and the number of open roles for AppSec professionals is set to top 3.5 million by 2025. The lack of skilled security professionals continues to be a burden for CISOs looking to shrink an attack surface that, through digital demand, technological innovation and a growing threat landscape, has been spiraling out of control for some time. However, this cannot keep paralyzing the industry into inaction.
CISA’s Secure-by-Design guidelines are gaining traction as a higher standard for software vendors to achieve, while updates from NIST, PCI and the EU-wide NIS2 Directive are having a global impact on many enterprise companies. Smart CISOs are utilizing their full team potential through role-based upskilling and especially enabling the development cohort to take pressure off the AppSec team by honing their security prowess on an ongoing basis.
A Positive and Proactive Security Culture is an Easier Path to General Regulatory Compliance
Those in charge of rolling out compliance measures at the enterprise level are familiar with the arduous, multi-faceted approach needed to meet the requirements: After all, if it was easy to achieve, the outcomes would be meaningless.
In the cybersecurity space, there are an overwhelming amount of regulations (like PCI-DSS 4.0, for the finance sector) in addition to general guidelines that are in an organization’s best interest to follow, such as the newly released NIST Cybersecurity Framework (CSF) 2.0 and the EU’s transformative NIS2 Directive. For these examples, it would take a herculean effort from AppSec specialists, the development and IT teams and executive oversight to comply across the board. Failing to manage cohesion between teams can have a lackluster result that, ultimately, doesn’t achieve the goal of safer software and digital assets.
Therefore, every team must operate on the same page, with the same security-first goal front of mind. The health of the security culture is a good indicator of an organization’s standing and where improvements must be made. Goal alignment between AppSec and their development counterparts has been difficult to establish in most organizations, and the bigger they are, the more likely it is that developers are solely focused on speedy feature development, often at the expense of thorough security considerations.
This is not their fault, and rather than simply giving them another plate to spin in the form of general secure coding, they must be nurtured, appropriately upskilled and given the tools needed to maintain their role in driving down common vulnerabilities.
Many of the newer guidelines and frameworks specify role-based training as a must-have, often in the context of this being a vital step in securing the software supply chain. For example, the NIST CSF 2.0 states:
Awareness and Training (PR.AT): The organization’s personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks
- PR.AT-01: Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind.
- PR.AT-02: Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind.
This is similar advice to the previous version and the sentiment is replicated in guidelines around the world, including the UK’s cybersecurity strategy. It is sound advice on the surface, but even basic annual training in the form of video lectures would technically meet the guideline requirements, while not providing the learning pathways necessary to truly arm developers with the skills to navigate common vulnerabilities in their codebase.
Ultimately, the work put into delivering a holistic, positive security culture that places developers as the driving force behind vulnerability detection and mitigation — or, ideally, not creating unsafe coding patterns in the first place — will determine an organization’s success. Security leaders must go beyond simple box-checking to choose the right training and tools to modify behavior, not just meet elementary recommendations.
You Can’t Improve What You Can’t Measure
I speak frequently to CISOs and security leaders worldwide, and despite operating in a diverse range of verticals, there are unifying pain points between them. One such area is the need to measure the effectiveness of their security programs overall, but the more they lean into the ‘people element’ of security, the more difficult it becomes to gauge and improve with the backing of solid metrics.
Improving the overall state of the security program requires benchmarking and frequent assessments to ensure each component is aligned with meeting pre-determined goals, guidelines or regulatory requirements, but this can be elusive, especially in measuring developer security skills.
How is impact accurately measured in this scenario? Leaders should be seeking deep visibility in the following areas:
- The number of pre-production vulnerabilities: How well has the code been written from a security perspective, before the AppSec team starts working their magic? Security should be synonymous with quality, and benchmarking is immensely helping in both maintaining higher software standards and tailoring learning to suit problem areas among the cohort.
- Mean time to remediate: These days, there is very little time to patch software that is already out in the wild, and catching these vulnerabilities as early as possible in the process is paramount. This metric can also deliver insights into how well a development team is achieving security outcomes while maintaining speed of delivery, which the right upskilling pathways will support.
- Developer trust score: CISOs have earned a seat at the boardroom table now more than ever and being able to prove the effectiveness of their program with easy-to-understand scoring is invaluable in maintaining trust, not to mention ongoing budget and funding.
CISOs at the forefront of implementing developer-driven security programs choose upskilling solutions that allow for precision measurement, in addition to customization that is reflective of scenarios they are most likely to encounter in the course of their work. This takes up-front investment and allocation of time, but anything less is destined to have a low impact on meeting Secure-by-Design guidelines, PCI requirements and a plethora of other official recommendations.
