Security investments require executive buy-in. Learn what key development motivators can help justify your security program updates.
As development speeds increase exponentially, organizations often struggle to introduce or maintain security practices capable of keeping pace. Additionally, security teams can find it difficult to get the top-down buy-in and support they need for a security overhaul. So we’re outlining the key drivers and motivators for improving security velocity that you can use to justify your own organization’s security upgrade needs.
Start with an assessment of your existing security program. This will help give you a prioritized and tailored understanding of your security needs. After you identify the weakest parts of your security program, you can more easily defend changes and their associated cost and resource demands.
Next, a thorough identification and analysis of your existing friction points can help you uncover key inhibitors and prioritize their fixes. Examine the root cause of development and security delays, any gaps in your existing processes, and delays caused by manual practices. Your focus should be on introducing integrations and automation whenever and wherever possible into your pipeline.
Reducing costs, risks, and rework efforts is also key. It’s important to define your baseline and measure the volume of rework and how long it takes your team to close rework tickets. You can determine your risk by differentiating between severe and low-risk tickets, and applying your defined risk policies to them.
Once you understand your weaknesses, you can use motivators specific to your organization to get the support you need to address those weaknesses. There are three overarching motivators you can use to get the conversation going: fulfilling compliance requirements, meeting customer and market quality standards, and performing quality engineering.
Security compliance is a legal concern for organizations in all industries. Regulatory standards like PCI DSS, HIPAA, and ISO 27001 define rules for protecting data and improving information security management at the enterprise level. Identifying the compliance and regulatory demands relevant to your organization can help enable top-down support for security practices and improvements. Once you secure the buy-in, you can start making regulatory-related upgrades to your security program. There are two easy places to start.
Both your customers and the competitive nature of the market itself demand that you produce high-quality, secure products. Failure to do so puts your reputation and success at serious risk. In addition to analyzing your security gaps, you should follow the ISO/IEC 25010:2011 standard to further justify your particular code quality needs.
Framing the discussion of quality standards against a tangible and proven model can help eliminate stakeholder doubt. Using this ISO model will help to bolster your arguments and validate the need to improve security practices.
Implementing quality engineering practices entails moving QA into the development process. This shift helps identify shortcomings earlier, at a stage when changes and adjustments can be made more easily. This driver of overall quality improvement protects the reputation and success of an organization.
Quality engineering should focus on:
The growing need to ensure security at speed continues to drive considerations of security improvement. It’s vital to leverage data and facts to justify security program improvement requests. Armed with an understanding of industry-driven motivators for improvement, the conversation with key players becomes an indisputable argument for support.
Stay tuned for our three-part series on the enablers and drivers of practicing security at speed.