Here are 5 steps to set up a software security group (SSG) that can improve your software security posture and lower the cost of cyber attacks.
In many organizations, security leaders are balancing network, software, endpoint, even physical security as part of their responsibilities. They must balance budget and resources across all areas. Most don’t have specific expertise in the evolving requirements of software security—nor are they expected to.
Traveling with a group will motivate you to pick up the pace. Working together, a team will share the load and make everyone’s pack lighter. The right team can make the difference between a painful slog and an incredible adventure.
A software security group, or SSG—an assigned group with full time responsibility—identifies software security as a specific area of cyber risk, managed by a team who understands the unique challenges of acquiring, creating, deploying, and managing secure software.
Having an SSG is a clear indicator of software security maturity, according to the Building Security In Maturity Model (BSIMM). All BSIMM participants that implement the most advanced risk management activities have an SSG.
A well-functioning software security group can lower the cost of a cyber attack. Companies that employ expert security staff can reduce cyber crime costs by an average of $1.5 million. Those that appoint a high-level security leader reduce costs by an average of $1.3 million.
The SSG is ultimately responsible for finding and fixing software security defects in software you develop, license, or manage. It also helps ensure the vendors with whom you share data have adequate software security initiatives of their own.
A software security group is unique. It sits at the crossroads of security and development functions and looks for interaction points between the two groups. It manages the process of introducing software security into the software development life cycle and, on the flip side, integrates the development perspective and process into security policies.
The software security group also serves as a ‘center of excellence’ for all software security needs, such as policy, standards, tools, experts, training, and so on, so that people have a place to get answers and improve their skills.
To increase awareness and education of software security, the SSG reports on software security metrics, communicates results to executives and the organization at large, and makes the business case for needed resources.