For digital transformation to work, developers need to take security seriously

Security heads at GSK, M&S and Williams believe software engineers need a guiding hand

Graphic depicting a digital padlock on a colourful background

When it comes to innovation, many IT leaders are fond of the mantra 'move fast and break things'. However, if you're responsible for the integrity and availability of your organisation's IT systems, breaking things can have some pretty disastrous consequences.

So how do some of the tech industry's top security chiefs handle the problem of ensuring their companies can move at the necessary speed required to maintain a viable digital transformation initiative whilst also keeping everything as protected as possible?

For Marks & Spencer's head of information security, Lee Barney, the answer is in making sure that you're properly implementing DevOps practices and agile methodologies. The rest, he says, will follow naturally.

"We bake the responsibility for cybersecurity into the first line of defence," he explains. "Making sure the software engineers know exactly what they need to do to code securely, so they are as good as the red team [penetration testers probing the infrastructure for vulnerabilities], for example, in identifying unsecure code and avoiding that... that is the way to do it.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"If you've gone the whole hog with DevOps, that should be fine, because the people who are actually making the changes - not just the software engineers but the people who are responsible for making sure that particular product is up and running - they also know about security. They know enough security to know when they don't know enough, and they then come to you and ask for assistance."

John Meakin, CISO of GlaxoSmithKline, agrees that the key is in enabling developers and giving them a good toolkit for securing and testing their code. After all, he points out - they're the ones that are going to be responsible for actually delivering security, rather than the CISO.

"You basically let go and allow them to do the security - so long as you're there," he says. "You've got to be there and you've got to be confident in telling them when they're doing it wrong. Because you're there, you're [telling them] early enough that it makes a difference.

"If the design is fundamentally wrong, then you need to point that out; you need to point out the risk. Not say to them 'the design is wrong, this is how you design it'. You point out the risk, which leads them to the decision 'oh, the design was wrong, I need to design it a different way'."

For Graeme Hackland, CIO of Formula One team Williams, achieving 'security by design' in a DevOps environment is tricky if your development team hasn't specifically trained for it. If integrating security as a core part of the development process isn't a natural thing for them, developers will often see the addition of security as something which slows them down when they're on a tight deadline.

"We're getting to the point where you have to get to your developers a lot earlier and get them into that mindset and thinking fairly early in their career," he states. "So it's focusing on the human aspect from my point of view, and making sure that your coders and the testers who are sitting right next to them are in that mindset just without even having to think about it - it's just part of who they are."

Advertisement - Article continues below

However, Meakin also warns that developers need to meet security personnel halfway. While he noted that the culture of a developer community isn't going to change overnight, he stressed the importance of developers evolving and engaging with security on a deeper level.

Thankfully, he sees a new breed of developers and development managers entering the industry who do truly understand the value of security and are happy to work with security teams as a core part of the development process.

"One of the great things within GSK is that there's been a recognition that not only does security need to adapt its approach but the developer community themselves need to adapt their mindset," Meakin says.

"What we're finding is that as we look out at the developer community as part of a natural refresh, we're finding a generation of developers - including development managers - who really get security. They don't know all the techie details we do... but they get security and they're prepared to give security almost equal weighting with business function points."

Picture: Shutterstock

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/careers/28212/a-guide-to-cyber-security-certification-and-training
Careers & training

A guide to cyber security certification and training

13 Jan 2020
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

23 Dec 2019
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020