Bridging the gap between IT, security and developers
Scott McKinnon, Principal Security Architect at VMware EMEA, explains how the gap between IT, security and developer can be bridged to innovate quickly
Departments must work together to innovate quickly.
Customer experience is the most important business objective for companies today. And it’s how quickly you can deliver that experience that sets successful companies apart. Delivering quality, innovative and secure products and services quickly is the big differentiator in attracting and retaining customers and meeting market demands.
Today, almost regardless of company size or market sector, it depends on the alignment and collaboration of an organization’s technology teams (IT, security, and developers). If this relationship does not work; if developers are shackled in their creativity; whether the applications disclose customer data; and if infrastructure and platforms are not resilient, the business threat is very real. This can lead to reputational damage, legal and compliance issues, demotivated staff and retention issues, and an inability to compete.
Security, in particular, must meet the needs and align with the rest of the business. Modern, distributed organizations now need security to be “everywhere,” not just integrated, but built differently. Designed for the post-COVID-19 accelerated sprint towards digital transformation which has also rapidly expanded the threat landscape.
Still, the extent to which the relationship between security, developers, and IT teams needs to improve matters. According to our new research with Forrester, 61% of IT teams and 52% of developers currently view security as a barrier to their innovation, while only one in five developers even understand the security policies they are expected to adhere to. Senior leaders are now focusing more on development and security relationships, but one in three are still not collaborating effectively or making progress in strengthening them.
Where is the disconnect? Why do negative relationships persist and where does safety lie in this scenario? What needs to change to ensure security is pervasive across the enterprise, to drive innovation, control, and ultimately customer success?
How to unlock data silos and unleash innovation
Ian Fairclough, VP of EMEA Customer Success at MuleSoft, explains how to unlock data silos to unleash innovation. Read here
Change the conversation
The lack of common goals between security, IT and developers has long been a problem, exacerbated by the potential complexity of today’s modern multi-cloud application world. Our recent study reveals that not all teams are aligned with customers, with the number one priority for IT and security teams being operational efficiency (considered most important by 52% of both respondent groups). In contrast, development teams prioritize improving the user experience (50%) – which is only fourth for IT and security teams, while preventing security breaches is second for IT and security teams. ‘computing and security, but only fifth for developers.
This lack of alignment is perhaps understandable – developers tend to be slightly siloed, as their priority is the end customer. Their success is usually based on creating an attractive application, as quickly as possible, to position the company first in the market: to create the next big thing and do it before everyone else. Once there is a product that works, its safety becomes a priority. This is now accepted as too late in the day.
But even that raises more questions than it answers, primarily the issue of a common language. A developer’s ‘user’, for example, is the end customer – where the revenue comes from – whereas the IT and security user is traditionally considered internal. And most importantly, “safety” means very different things to these three teams. For developers, it is application code security (code bugs) and support for secure communication protocols (HTTPS everywhere); for IT, it is infrastructure security and lifecycle development; for the company, security means the security of the personnel, the building in which they work and the protection of data. So, it’s not just that the priorities aren’t aligned, it’s that the fundamental terminology with which those priorities are even spoken of doesn’t translate across all teams. The alignment conversation is not only late, it is being discussed in different languages within the company.
Security perception problem
Then there is the perception of security, which is still seen as an obstacle for developers and IT in organizations. For many, it is not yet sufficiently integrated into the company, neither in terms of personnel nor technology. As a result, more than a quarter of developers are not involved in security policy decisions at all, although many of these have a significant impact on their roles.
We need to move from this to a scenario where security as a technology is thought of differently. He’s there to support the brand, build trust – between employees, customers – and optimize application delivery. It is there to eliminate the false choice between innovation and control.
So rather than the previously mentioned “afterthought” moment of app development, where function seems to step in to fix flaws and leaks or “hinder” innovation, more collaboration is needed. This can help security become pervasive yet invisible within the organization. It should no longer be considered as a specialization, but be anchored from the outset in the life cycle of innovation. And, above all, it must be recognized as part of the customer experience. After all, you can have a nice car that performs fantastically, looks amazing and pays off – but if the brakes don’t work, it’s not fit for purpose.
WIT Summit Canada — future-proofing security and talent
The second part of our coverage of WIT Summit Canada covers panel discussions on future-proofing security and hiring talent for the future. Read here
A way forward
When it comes to making this change, you have to start at the top. Who is the primary decision maker for security, IT and developers? The reality is that it varies wildly; different reporting lines, different lines of business, different levels of representation at board level. Security has always been aligned with IT. But should we now see a shift in its focus towards developers, from firewalls to building secure applications – as the latter becomes a strategic driver of business innovation? It’s currently a Wild West of ownership, fueling the lack of strategic alignment between these teams.
Aligning priorities, under the responsibility of a single seat at the table – a digital transformation manager or similar – will be essential to bring teams together in vision, strategy and execution. This will encourage sharing and alignment on KPIs. And it will help these teams collectively sell across the business – to secure funding, to convince their internal customers to engage with products and solutions, and to shift the dynamics of responding to change to driving it proactively. .
This will help drive cultural change. It is not simply a process of education, of bringing teams together in terms of language and understanding; it’s a change where the teams are united around a common priority: customer orientation. The principles of something like Total Quality Management (TQM) can help bring this to life – a systematic approach to ensuring long-term success through customer satisfaction. TQM starts with customer focus, then moves through principles such as total employee involvement, process thinking, continuous improvement, fact-based decision-making, and communications. The security function in particular could align more here, to ensure it is better integrated into the development lifecycle that drives the business forward. Ultimately, the operation behind application development and deployment has grown, now security must do the same.
Towards a future state
The good news is that shared team priorities and commitment are recognized as the way forward. More than half (53%) of respondents expect security and development teams to be unified within two to three years, and those who believe barriers prevent this unification are expected to drop from 49% to 28% in the next few years. 42% expect security to be more integrated into the development process in the next two to three years, and cross-team alignment is widely believed to help companies reduce team silos (71 %), create more secure applications (70%) and increase agility to adopt new workflows and technologies (66%).
It is also recognized that security is more than just an insurance policy. It can enable development teams to achieve their goals in the safest and most efficient way rather than impede innovation and create security hurdles to work around.
Continuing and accelerating this progress must be a priority for business leaders. The relationships between these three teams have a major impact on organizations, and their alignment delivers more resilient applications, greater responsiveness to market conditions, and ongoing compliance. Yes, security needs to rethink its processes to encompass more of the teams it supports. But IT, security, and developers must all come together to support a “future state”; one where customer focus, fueled by a systematic approach and senior ownership, unites technology teams and empowers them to drive the business forward.