DevOps / Security / Contributed

DevOps Needs Security Champions

9 Dec 2020 9:00am, by

John Worrall
John Worrall is CEO of ZeroNorth in 2019 as chief executive officer, leading the company in its delivery of the only platform for risk-based vulnerability orchestration across applications and infrastructure. As CEO, John heads up all aspects of the company’s strategy, product, operations and go-to-market functions. Prior to ZeroNorth, John was chief marketing officer (CMO) at CyberArk, where he played a critical role in leading the company through its initial public offering.

From developers to security pros to corporate leaders, professionals in the world of application security are facing questions around how they can effectively unite in the name of secure and better quality software. Just as the two realms of development and operations once came together to produce DevOps, essentially revolutionizing the speed, capability and agility of software development, there is now a shift happening in the industry to bridge the critical divide between that DevOps community and the invaluable piece of application security (AppSec).

This chasm between AppSec and DevOps has been borne out in the data, most recently through a report conducted by the Ponemon Institute, whose research illuminates the need for better unification. According to their findings, 77% of developers say this existing cultural divide cripples their ability to meet deadlines with quality software, while 70% of security professionals say this lack of alignment puts the security of applications at risk. This statistic highlights the essence of the problem, which is not about technology meeting our needs — but rather, the need to find people who can champion the effort of change.

Welcome Security Champions

As organizations continue to look for more effective ways of integrating security tools and practices into their DevOps process, without affecting the speed of innovation, they are turning more and more to a new brand of superhero, a dedicated professional who can wear the figurative “cape” of unity. Otherwise known as a Security Champion, this committed individual has the potential to unite teams for the good of software through the creation of a special organizational program.

A Security Champions Program guarantees the integrity and excellence of software won’t be compromised. Instead, the presence of a dedicated security advocate can serve as a motivator for all teams to collaborate on deploying better, more secure software. To better prepare DevOps teams for their security remit, these programs are starting up within organizations looking to establish a culture of security across the entire development process.

To find out more about the overall success of these Security Champions Programs, ZeroNorth recently surveyed a broad swath of security and development professionals. Turns out, 84% of those respondents believe a Security Champions Program can bolster the integrity of software while also improving relationships between these two teams. These findings signal some significant changes for the future, ones with the power to successfully bring security and development together through a centralized authority.

Developers are forced to trade security for speed to accelerate product development and meet ambitious timelines. In fact, 65% of DevOps professionals say the pressure to develop applications faster than ever is real and not slowing down, a belief also supported by 50% of AppSec professionals. Developers and security teams also agree on what challenges keep their application security posture from being fully effective. Both groups concede the growth in vulnerabilities is the biggest deterrent to achieving a stronger posture. As security scanning increases, so too does the number of found vulnerabilities, and developers face a constant stream of remediation tickets. This reality combined with the pressure to release new applications can lead to vulnerability overload, making effective application security harder to achieve. A dedicated Security Champion can ensure these issues are resolved throughout the entire process, from code commit to build to deployment.

We can better visualize this change by digging deeper into the survey data. While the notion of a Security Champions Program isn’t new, 67% of these initiatives have only been active for less than two years, with almost 40% in place for even less time. For these organizations with programs in place, 78% said the role of the Security Champion has strengthened the security skills and knowledge among developers. This means DevOps professionals have much to gain from this type of organizational shift.

Finding the Necessary Support

Unlike the superheroes we see on the big screen, Security Champions in these programs need training, education and plenty of executive support. They also need the right tools to do the job. Without them, they cannot be expected to meet their security initiatives.

Included in the “must-have” tool list is a deep understanding of software development and agile best practices. Champions need to have insight and understanding to earn the respect of DevOps teams. They also need to have a security platform that can provide the automation and orchestration necessary to meet both governance and speed requirements.

Corporate security leaders are also in charge of enlisting the right Security Champion for the job. This person can be a team member from either side, security or development, who is willing to champion AppSec initiatives while working to embed a culture of security across the development life cycle. These security superheroes then work to build bridges between the two teams and ensure accountability and visibility aren’t lost, to make sure security doesn’t fall through the cracks. This effort by CISOs also includes helping to define security priorities, training professionals to assume the role, educating everyone on best practices and creating an essential framework where results matter and security is never second.

Flying High for Security

Viewing application security as a burden — or worse, an afterthought — is no longer an option. Senior leaders must lead by example and demonstrate on every level how security is, in fact, a business differentiator — not an obstacle. CISOs and their respective Security Champions must work authentically and clearly communicate how AppSec vulnerabilities can threaten the integrity and success of the business, in the same way as financial or physical risk.

Once these Security Champions have training, security tools and best practices under their belt, donning the cape to safeguard business and product lines is next. This champion-like ability will in turn enable them to help developers meet their goals while also supporting organizational risk and compliance requirements. And once everyone acknowledges the many ways a Security Champion program can improve the state of AppSec, including all the business benefits resulting from strong product security, they will hopefully find software gets better when a real champion wears the cape.

Feature image via Pixabay.

A newsletter digest of the week’s most important stories & analyses.