How would you rate the cybersecurity maturity of your organization? This is not an easy question and one without a concrete answer, as even the most robust organizations can still find themselves on the wrong side of a breach.
The truth is that all organizations find themselves somewhere on a larger maturity curve that continually shifts as conditions change. As the need for strong security only grows in importance, these organizations must find new ways to improve their overall defense – a challenge in unregulated industries that may already find themselves behind the curve.
Regardless of the starting point, improving security maturity can be a struggle for organizations at every level as the industry collectively grapples with skills shortages and a complex threat landscape.
The three stages of security maturity
While an organization’s exact maturity remains hard to define, we’ve found that development teams often fit into one of three stages based on their behavior:
Defining: These organizations have identified the need to define and build the security maturity of their development teams. They realize that software vulnerabilities exist in their code and must be addressed, but they lack the processes and skills to remediate them. These organizations may have started to plan how to build their developer maturity but remain reliant on a reactive approach. AppSec Managers and developer teams may not have a close relationship.
Adopting: Organizations at this stage have begun to adopt and incorporate secure coding practices into all stages of the software development life cycle, but it remains a work in progress. Development teams may have good fundamental practices to improve security maturity but battle inconsistencies with efforts still siloed. Organizations can stay in this stage while they build better relationships between developers and security teams while ensuring developers have time to learn and practice new coding skills.
Scaling: At this stage, organizations have implemented a cohesive approach to secure coding with a foundation to improve and evolve practices as needed. Developers at this level act as a true front-line of defense and have mastered the fundamentals of secure coding practices. As a result, management advocates for security and functionality to have equal importance, and they are baked into developer workflows.
Improving developer maturity
Development maturity does not come without an organization-wide push to make improvements. Maturity goes beyond simply hiring experienced developers but creating a training-focused ecosystem that encourages and rewards developers for expanding their skill sets.
To build this environment, organizations first need to establish a consistent measurement of security maturity. This includes defining a plan to upskill developers and providing them with an opportunity to grow. Organizations often neglect developer training, leaving it to a once-a-year activity to check a compliance box.
Instead, offer developers the opportunity to train on tools and techniques that interest them and help the organization’s overall maturity. Focus on individual training that allows developers to build on existing skills and learn with hands-on practices that build off one another.
That training should focus on all aspects of development but also emphasize security. Skilled and willing developers who are security-aware and passionate should be appointed security champions. Their responsibility as a champion is to help their fellow developers improve their skills, in addition to acting as a liaison between the development and AppSec teams. These leaders can take a hands-on, technical role in helping out their fellow developers; however they should not be positioned as the security lead within the developer team. The goal of security champions is to coach fellow developers as they build security skills to the same standard.
There should also be an understanding that progress never ends. Create a schedule for continuous check-ins so there is consistent improvement.
The road forward
Organizations today face continual attacks on the technology products they use. The software development process largely overlooks security due to increased speed and deadlines. Enterprises must understand that they have a role to play in defending these systems.
Building a mature development organization can strengthen overall security. It trains developers to work on the front lines of defense, allowing them to make the necessary changes to secure systems. Developer maturity takes time, patience, and a plan. The rewards, though, make it worth the effort.