How do you rate your organization’s cybersecurity maturity? This is not an easy question with no concrete answer, as even the most robust organizations can find themselves on the wrong side of a breach.
The truth is that all organizations are somewhere on a larger maturity curve that continually changes as conditions change. As the need for enhanced security continues to grow, these organizations must find new ways to improve their overall defense – a challenge in unregulated industries that may already be falling behind.
Regardless of the starting point, improving security maturity can be a struggle for organizations at all levels, as the industry collectively grapples with skills shortages and a complex threat landscape.
The three stages of security maturity
Although the exact maturity of an organization remains difficult to define, we have found that development teams often fit into one of three stages depending on their behavior:
Definition : These organizations have identified the need to define and strengthen the security maturity of their development teams. They realize that software vulnerabilities exist in their code and need to be fixed, but they lack the processes and skills to fix them. These organizations may have started planning how to mature their developers, but still rely on a reactive approach. AppSec managers and developer teams may not have close relationships.
Adopt : Organizations at this point have begun to adopt and embed secure coding practices at all stages of the software development lifecycle, but it’s still a work in progress. Development teams can have foundational best practices to improve security maturity, but fight inconsistencies with efforts that are still siloed. Organizations can stay in this stage while building better relationships between developers and security teams while ensuring developers have time to learn and practice new coding skills.
Scaling: At this point, organizations have implemented a consistent approach to secure coding with a foundation to improve and evolve practices as needed. Developers at this level act as a true first line of defense and master the fundamentals of secure coding practices. As a result, management advocates that security and functionality have equal importance, and they are integrated into developer workflows.
Improve developer maturity
Development maturity does not come without an organization-wide push to make improvements. Maturity goes beyond simply recruiting experienced developers, but creates a training-focused ecosystem that encourages and rewards developers for expanding their skills.
To create this environment, organizations must first establish a consistent measure of security maturity. This includes defining a plan to improve developer skills and provide them with an opportunity to grow. Organizations often overlook developer training, leaving it to an annual activity to tick a compliance box.
Instead, give developers the opportunity to learn about the tools and techniques that interest them and contribute to the overall maturity of the organization. Focus on one-on-one training that allows developers to build on existing skills and learn with hands-on practices that build on each other.
This training should focus on all aspects of development, but also emphasize safety. Skilled and willing developers who are security conscious and passionate should be named security champions. Their responsibility as a champion is to help their fellow developers improve their skills, in addition to acting as a liaison between the development teams and AppSec. These leaders can play a hands-on technical role in helping their fellow developers; however, they should not be positioned as a security officer within the developer team. The goal of security champions is to support other developers as they build security skills to the same standard.
You also have to understand that progress never stops. Create a schedule for continuous checks so that there is constant improvement.
The road forward
Businesses today face continual attacks on the technology products they use. The software development process largely neglects security due to increased speed and delays. Businesses need to understand that they have a role to play in defending these systems.
Building a mature development organization can strengthen overall security. It trains developers to work on the first lines of defense, enabling them to make necessary changes to secure systems. Developer maturity takes time, patience, and a plan. The rewards, however, are worth it.