When it comes to enterprise cybersecurity, nothing is set in stone. With a constantly shifting threat landscape on one hand and evolving tools on the other, security teams can often feel overworked and overwhelmed.
When you add the additional layer of regulatory requirements, the pressures become even more intense. It’s also forcing many organisations to rethink their internal security programs and align them with evolving regulatory requirements.
The continually shifting goalposts of compliance can leave some teams feeling perpetually behind and ill-equipped to shoulder the burden of increased scrutiny and litigation in the event of a digital disaster.
The Role of Developers
The emergence of tools such as AI coding assistants and security scanners has expedited the need to ensure every role across the enterprise follows security best practices to the letter. When it comes to code-level vulnerabilities, however, no team is better placed to mitigate risk than software developers. Unfortunately, however, most development teams are not equipped with the skills and tools required to successfully navigate the growing threat environment.
Thankfully, some enterprises have made significant progress, not just in security enablement for developers but also in shaping them as the cornerstone of their security programs. Developer-driven security is a cost-effective way to reduce vulnerabilities in software, but establishing a baseline of skills and verifying security training outcomes against an industry-wide benchmark has traditionally proved elusive.
Recent evolutions in developer security education have enhanced the ability for enterprises to benchmark their cohorts’ security abilities, ultimately designing programs to ensure they operate with security as second nature. This can result in significant risk mitigation and favourable comparisons against others in their industry.
Defining Ideal Outcomes
Increased regulatory pressure is a strong motivator for enterprises to tighten their security programs overall. However, many recognise that components like developer security training are non-negotiable. This is especially true when it comes to the usage of AI coding assistants that can exacerbate security issues if used with high trust and low scrutiny from security-skilled personnel. Still, these upskilling programs vary, and most are incredibly difficult to measure in terms of their success.
This lack of oversight and visibility has led to difficulties for many CISOs in justifying on-the-job security training for developers and, ultimately, proving its effectiveness in targeting and eliminating relevant vulnerabilities in an organisation’s codebase.
There is a clearly defined need for a benchmark that identifies the standing of the development cohort’s skill level in navigating security best practices as well as providing insight into an organisation’s overall health in executing the developer-centric elements of its security programs.
Core Benchmark Attributes
Teams can meet expectations and security training goals internally, but how can they be sure they’re hitting a baseline or general industry benchmark? To build a strong, agile developer upskilling program, the best teams focus on three key areas.
They are:
- Visibility:Assess your program’s effectiveness and empower developer teams to achieve improvements. For example, provide robust reports of individual developer security skills tracking and achievements to increase accountability and highlight areas of improvement.
- Data-driven measurement:Compare success across the industry to facilitate new training and learning methods. Organisations should be able to understand how they compare to key competitors and leaders within their industry through in-depth analysis.
- Flexibility:Identify and optimise your organisation’s security posture with actionable insights. Set meaningful internal goals based on your organisation’s needs and your development team’s pace. Also ensure the training and assessments are aligned with both business needs and the developer tech stack.
This data is invaluable for understanding the wider security picture among the development cohort and allows the prioritisation of addressing relevant education gaps that can deliver an overall improvement in the effectiveness of the security program. This is especially important in targeting key vulnerabilities for reduction and enabling developers to safely take on more sensitive projects once their skills are assessed as meeting or exceeding the intended baseline.
Commitment to Code Quality
As software continues to eat the world at a pace that leaves most experts reeling, it is no longer viable to invest effort into developer upskilling programs that don’t work, can’t be measured in terms of their impact on enterprise risk mitigation, and give very little vision to the developer themselves on how they are tracking in terms of their security prowess. Without these critical insights, poor coding patterns continue and the prevalence of security de-prioritisation and shortcuts is bound to continue.
Most developers want continued growth, yet they continue to be let down by lacklustre security programs that don’t make them central to the reduction of code-level security issues nor incentivise this growth with rewards and access to more prestigious projects.
Raising the standard of code quality will take a significant change in how developers view and learn security best practices. With the challenge of protecting against an evolving threat landscape in perpetuity, the time to implement lasting change is now.
