“So we thought simplicity would be good way to go,” she said. That led to the creation of what they called a Product Intelligence dashboard that yielded a single “security product intelligence” score.
“It was similar to a credit score,” she said, noting that it immediately caught the attention of product teams, which were allowed to get into the data weeds as much as they wanted.
“We spent a ton of time on data integrity,” Czaplewski said. “We let them run the numbers themselves. And now developers trust it.”
Another security “myth” that needs to be simplified, she said, is the one that contends it is mandatory to “scan ALL things.”
“It’s too much information,” she said. “We were unable to prioritize.”
In Target’s case, she said her team created a “security ninja” program, which then worked to guide product teams in best practices, including maintaining an app inventory—yet another element of security hygiene, given that you can’t protect what you don’t know you have.
But the bottom-line goal, she said, is to “make the secure way the easy way” for developers.
“If you simplify, less is usually more,” she said.