Having to constantly measure return on investment (ROI) is the bane of many executives’ lives. For CISOs, the key challenge is proving the business value and effectiveness of cybersecurity efforts.

For years, many CISOs have struggled to educate their developers about the importance of putting security first. They’ve also been working to control an increasingly complex threat landscape and spiralling attack surface, all while navigating a security skills shortage.

They need a new approach that helps to uplift the security culture organisation-wide while ensuring AppSec professionals and developers alike have what they need to drive down vulnerabilities and risks.

The Gap Between ‘Good and ‘Great’ Developers Is Widening

As much as many IT professionals would like to return to the simpler times of the 1990s, aspects of life back then simply don’t translate to the present day – and software development is no different.

However, many organisations — especially those with complex legacy systems — struggle to modernise their security programs to accommodate a rapidly digitising world that constantly demands more from software. According to a McKinsey study^[1], AI coding assistants can increase the productivity of less complex coding tasks by up to 50%, bringing about further increased code velocity that many are ill-prepared to secure efficiently.

It’s important to ensure that developers are the beating heart of an enterprise security program. This requires precision and continuous security enablement. There is simply too much code to leave it all for AppSec specialists to wade through.

The ideal state is a veritable army of security-aware developers, and this is rapidly becoming the gauge for a strong security posture. However, with on-the-job upskilling so hit-and-miss, the gap between ‘good’ and ‘great’ developers is widening.

Many CISOs struggle to measure cohort performance in their programs, despite code-level vulnerabilities being a problem that requires a human solution in the form of security proficiency among the development team.

Reducing Code-level Vulnerabilities

There often tends to be something of a standoff between developers and their AppSec counterparts, where there is little empathy on either side. There is a serious need to align these teams to one common goal, and that is maintaining code quality and security.

Until developers are enabled to assume responsibility for the security outcomes they can control, this friction is likely to remain, and it’s not too dramatic to suggest the future of digital security depends on getting this balance right.

Supply chain attacks represent an avenue for major disruption and, possibly, the chance of a huge payday for threat actors. For this reason, it is unsurprising that these types of breaches are becoming more frequent.

As has been seen with the likes of the Colonial Pipeline attack, SolarWinds, and Log4j, small windows of opportunity like misconfigured APIs and successful privilege escalation can lead to years-long exploits that have the potential to affect millions of people.

Often, these bugs are the result of poor coding patterns that many developers adopt and execute every day and will continue to do so unless their secure coding skills are honed, assessed and verified.

Increasingly, leading CISOs are no longer leaving this to chance and are raising the bar with three key tactics:

• Executive buy-in:CISOs have traditionally found some resistance in boardroom conversations, largely due to the notion that cybersecurity is viewed as a cost centre, with return on investment difficult to prove. The best CISOs demand their seat at the table and articulate the necessity of a funded security program.
• Holistic, developer-driven security programs:Security programs that fail to address the people factor in driving down vulnerabilities clearly trail behind those that do, but true innovation is realised by CISOs who make developers the star of their show. In a true DevSecOps environment of shared responsibility, this is not an unattainable cybersecurity nirvana: it’s the standard.
• Continuous optimisation:What cannot be measured cannot be improved, and the best CISOs adopt a deliberate strategy to measure every part of their programs and devise pathways for improvement. Developers especially need role-based, comprehensive upskilling pathways, and these need to replicate the work they do day-to-day. They should be assessed before and after training programs, and only those with verified security skills given access to more sensitive projects and repositories.

Benchmarking Security Skills Is Key

It is vital to place collective effort into addressing and uplifting developer security skills, with precision not previously afforded to this significant piece of the cybersecurity puzzle.

CISOs must display leadership and empower their organisations to benchmark and optimise security performance. By doing this, code can be produced efficiently and used securely.

[1] https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/unleashing-developer-productivity-with-generative-ai