The BTN was recently delighted to partner with Snyk, a developer security platform for securing code, dependencies, containers, and infrastructure as code, for an exclusive virtual roundtable with senior leaders across the Security industry.
For this exclusive session, Field CTO at Snyk, Simon Maple, led the conversation with regard to strategies for rolling out and running an effective security champions program.
The conversation brought about the following takeaways:
Build a secure digital society
You cannot develop applications separately from understanding the security aspects of the business. We need to ensure security is embedded in all aspects of our application development. The role of ’security champions’ is regularly perceived as a dream across teams but our communication needs to be pushing the security culture, especially with developers.
When starting the journey of pushing security, we need to clearly define the threat from the start. You can then trigger responsibility across all the stakeholders. We shouldn’t invest time once we build the system, we should embed this security from start, which saves time. We must be of the mindset that if people don’t need privileges, don’t give them. We should be providing privileges based on requirements.
One of the attendees spoke about the use of hackathons internally and modelling processes to enable their developers to understand the threat model and create an intrinsic awareness. It is easy to motivate teams to enjoy security and do hackathons but the battle then comes from managers as they focus on budgeting and internal politics can arise as a battle. We can’t rely on an ‘incident’ being the instigator for the management team paying attention to security. Is it just as easy to claim on insurance than actually invest in security? This can’t be the mindset.
Risk versus benefit of the cloud is key
The group spoke about the varying degree of acceptance when it came to having an interest in established versus new technology. There was an overarching agreement that the experience of the individual had a direct correlation to the resistance to change to newer technologies. The mindset of the experienced individual being that it would set them back to being ‘in-line’ with those who were less experienced overall. There will always be products that are more geographically experienced with regards to people and development, for example, but the way we can get our employees to buy in is by understanding that there isn’t a one size fits all across large organisations. We must realise that not every lesson will fit every member of staff.
The future is without a shadow of a doubt in the cloud, especially with the ever-evolving global workforce and with people needing to access data wherever and whenever they are, we need to create processes that are scalable and secure.
Invest in continuous security
To become an organisation that is secure by design, we must ensure we have support from the top. The word ‘invest’ doesn’t always have to relate to money but we should therefore ensure that our senior executives are invested in the security of our business with their mindsets.
Security regularly goes against a proposed pre-project budget and can be a barrier as security is needed somewhere but is seen as an add-on. Our mindsets on project design should stem from our security champions but also from our budget holders. We should be aspiring to get as much collaboration from the CIO as possible. The buy-in from the top will give us the baseline to build upon and allow us to create a mindset from our execs, whereby we don’t proceed with go-lives unless we have the security controls in place.
We must continuously review all aspects of the code when pushing to live to strive for continuous security. A DevOps culture takes the responsibility of building something that is beneficial for the company so to create the culture of DevSecOps, the code must be secure.
Creating a balance between giving developers the space to innovate versus not giving them enough to break something will always be a challenge but through the utilisation of sandbox environments and investing in security throughout the lifecycle, we can reap the benefits of innovation and security.
The world of security is regularly an afterthought but at the heart of it, if your customer data is comprised, then the exposure and control are lost and the reputation damage is sometimes irreversible.
The use of a particular product doesn’t necessarily make you secure, you must be thinking securely and this is only possible through embedding security into your developers. We should be aspiring to be secure by design.
About Snyk
Snyk is the leader in developer security. We empower the world’s developers to build secure applications and equip security teams to meet the demands of the digital world. Our developer-first approach ensures organizations can secure all of the critical components of their applications from code to cloud, leading to increased developer productivity, revenue growth, customer satisfaction, cost savings and an overall improved security posture. Snyk’s Developer Security Platform automatically integrates with a developer’s workflow and is purpose-built for security teams to collaborate with their development teams. Snyk is used by 1,200 customers worldwide today, including industry leaders such as Asurion, Google, Intuit, MongoDB, New Relic, Revolut and Salesforce.
Snyk is recognized on the Forbes Cloud 100 2021, the 2021 CNBC Disruptor 50 and was named a Visionary in the 2021 Gartner Magic Quadrant for AST.
For more information, visit https://snyk.io.
