When IT security teams roll out Zero Trust programs without involving software developers, resistance and confusion can increase cyber risk …

Security continues to be of paramount importance to every organization, but the transformation to a more distributed environment is challenging many enterprises as they work to secure their data, applications and workloads.

One major cause of obstruction is when there is a distinct disconnect between developers and IT security teams: they may be working in siloes, not shouldering the shared responsibility to ensure protection across clouds, apps and all digital infrastructure holistically in zero trust infrastructures.

In order to build a more secure perimeter, CIOs and CISOs in IT and security must collaborate, despite having conflicting objectives, argues Karen Worstell, Senior Cyber Security Strategist, VMware, in a Q&A interview with CybersecAsia.net.

Karen Worstell, Senior Cyber Security Strategist, VMware

CybersecAsia: Why is there a divide between developers and security teams in fulfilling the Zero Trust Promise? Can this divide be eliminated simply by leaders being made aware of it?

Karen Worstell (KW): As security professionals work to create a secure environment for organizations, developers are often left out of security planning processes but are then tasked with carrying these procedures out.

This creates a fractured relationship between developers and IT security teams, among many reasons for the siloed functioning:

  • IT security policies are often not designed with developers in mind. This leaves developers feeling as if they are not responsible for security tasks and do not have a clear understanding of how to comply.
  • Development and security teams do not speak the same language. Having a security advocate that asks the right questions and takes the time to get to know the development teams can go a long way to building trust between teams.
  • Many organizations struggle to strengthen relationship between departments. The lack of communication and lack of clarity among roles has a major impact on collaboration across teams. 

According to our research, security teams need a perception shift. Rather than being seen as the team that only swoops in to fix breaches and leaks, they should be embedded across people, processes, and technologies. Security needs to be a team sport that works alongside IT analysts and developers to ensure protection across clouds, apps, and all digital infrastructure. This will develop a corporate culture where all teams have shared interests and common goals or metrics, and where they speak one language.

CybersecAsia: Can you share a spectacular example of rollout resistance and other consequences arising from the non-involvement of developer teams early in Zero Trust rollouts?

KW: Since zero trust is a holistic approach to security across applications and infrastructure, it is essential that the DevOps processes in place have been designed to incorporate security principles and policies into the full stack. This includes having shared libraries of open source that are trusted. Speed in DevOps is crucial, and practices have evolved such that vulnerable code in shared process brings other productive work to a halt.

We saw an example of this with Log4j and it is causing all of us to examine the processes for utilizing open-source libraries. Log4j was not exactly a case of not involving developer teams early, but it serves as a vivid reminder of how impactful a flaw in security controls in DevOps can be. 

As with any workflow, it is best to find the points as early in the workflow as possible, to shift left more and more, so that teams can be most efficient, and workflows are effective. Rework and identification of problems are very expensive.

When this is done as a collaboration between security and development teams, we have the best chance of identifying the problems before they run out of control. 

CybersecAsia: What are the necessary steps for organizations to take to strengthen security, IT and development relationships for optimal DevSecOps results?

KW: Greater cross-collaboration is required between the developer and security teams to strengthen an organization’s security posture via zero trust. The relationship between these teams significantly impacts an organization, which include not only increased collaboration, but more secure applications, increased agility, and continuous compliance.

  • Security needs to have a drastic perception shift and should be deeply embedded across people, processes, and technologies. This means involving developers in security strategy planning early on.
  • Security must be a two-way street right from the beginning, and developer teams need to be involved in making decisions about the kind of applications and tools that impact their work processes. Our studies show that most of the time, developer teams are involved in choosing the tools and technologies that directly impact their work, while 27% of the developers surveyed are not involved in security policy decisions, despite many of them greatly impacting their roles, and only 22% said they understand what security policies they’re expected to comply with. 
  • Security teams also need to provide adequate training on security policies, procedures, and compliance measures, and engage developers in the zero trust journey from the beginning so the latter can also raise potential security issues in development work. 
  • One of the most effective ways to improve the relationship is to have shared Key Performance Indices so that developers can treat security issues with more importance and increase collaboration with the security team. Communicating objectives and priorities and cross-functional collaboration can substantially improve through the broken-down silos.
  • Lastly, automating security allows both the teams to focus on their actual schedules instead of spending time on each and every alert. Security teams must provide the development teams with automated processes that are integrated with seamless sharing of data between products and tools.

CybersecAsia: Knowing that IT and security teams (or any other business function) must not work in silos but collaborate and become stakeholders, what advice do you have for leaders to enshrine best practices into their organizations’ manifesto for all future leaders to abide by?

KW: Business leaders must help the teams actualize the benefits of increased collaboration, which include improved security, agility, and innovation—all of which are crucial to both security and development teams.

Leaders should also empower teams to overcome unification obstacles to increase innovation and agility, which in turn allows for security to be embedded in the development process.

It is time to start changing the way security accountability is shared in an organization and to drive a common culture across all parts of the business when it comes to security.

CybersecAsia thanks Karen for sharing her views about the pitfalls of siloed IT and development teams.