Speed is the currency of today's business environment. Companies need to understand and deliver on customers' expectations ahead of their competitors. Business units are continuously innovating products and processes and want to quickly pivot their strategy if any one direction proves promising. Technology is key to making this happen.
Two-thirds of business leaders today believe their companies must pick up the pace of digitization to remain competitive, so it's no surprise that digital strategy and digital transformation are now board-level conversations.
To meet digital expectations for responsiveness, output and "always on" products, corporate IT departments must integrate delivery, engineering and support teams. Progressive IT leaders are experimenting with several major changes to the established way of developing IT projects and collaborating across various parts of the IT organization by employing Agile development and assembling DevOps teams. The aim of these new ways of working is to increase IT delivery speed.
Unfortunately, the information security (infosec) function is behind the curve in this effort: Governance practices designed to protect the organization against security breaches often hinder IT speed. In fact, 71% of CISOs believe their stakeholders view the infosec function as an impediment to speed-to-market. To change this perception, CISOs must seize the opportunity to adapt to new methods of IT delivery and reshape security governance processes.
Traditional information security processes aren't fast enough
Security's existing governance practices are not structured to support IT speed, which often puts the function at odds with the applications development community. In some organizations, this means applications go into production with vulnerabilities; in others -- where security teams have the authority to delay deployment until vulnerabilities are fixed -- the enterprise's digitization efforts risk being outpaced by competitors.
In particular, three challenges often reduce the security organization's ability to support IT speed:
1. One-size-fits-all training model helps no one. Security's one-size-fits-all training methods are disconnected from developers' daily work. This results in training being perceived as irrelevant or even punitive, eliciting a purely "check the box" reaction.
2. Demand for security far outstrips supply. Because it's difficult to predict the appropriate need for and level of security required for IT projects in advance, demand can quickly outstrip a security team's capacity. Although security's budget has grown markedly year-over-year, it's become increasingly difficult to fill open staff positions. These trends make it unfeasible for security to continue practices like aligning infosec staff to projects or performing certain governance activities such as application testing themselves.
3. Waterfall by design. The way security organizations currently provide guidance to project teams -- publishing security guidelines in a document housed on a site and engaging with teams directly during mandatory, calendar-driven security reviews -- doesn't work well with Agile development and DevOps, leading to deployment setbacks that delay IT delivery speed and create inefficiencies. This is due, in large part, to traditional security governance processes being designed to work in Waterfall environments with clearly defined and scheduled stage-gates.
Guiding principles for supporting IT speed
Security functions that successfully adapt their governance practices to support IT speed adopt two guiding principles:
1. Drive long-term changes to developer behavior by prioritizing developer speed. To support more IT projects, security organizations need to reserve their direct involvement for the riskiest or most significant projects. To do this, the security function should work to improve the likelihood that developers independently make sound application design decisions, and that developers will flag decisions that are especially significant and so warrant added assurance from peers or from security.
Security typically requires developers to attend formal security training sessions. But this training rarely helps delivery teams meet speed-to-market or security goals because developers struggle to apply what they have learned to their day-to-day work. Furthermore, in the absence of clear business outcomes, applications leaders are often reluctant to divert developers from their core responsibilities to attend training. In place of these formal trainings, mature organizations monitor coding behaviors for individual developers, root-cause the reason for the insecure coding outcome and tailor training to specific developers or teams.
2. Automate and delegate security governance wherever possible. This requires the security function to streamline IT project governance and adapt it for Agile and DevOps, allowing it to support more of the IT project portfolio. To do so, CISOs should more aggressively drive automation and delegation, allowing their security organizations to move beyond project-level governance.
Security governance can be automated and delegated with help from several tools and process changes that will streamline the review process, cut down on the number of handoffs and increase speed for development teams. Static and dynamic scanning tools (e.g., Nikto, AppScan) placed into developers' hands virtually eliminate downtime due to developers waiting for security to perform vulnerability scanning. Plug-ins incorporated into the DevOps pipeline can run passively in the developer environment and notify developers when certain security issues crop up.
Information security today has an opportunity to significantly improve IT delivery speed. The function needs to take advantage of changes happening in the broader IT organization to introduce practices that will drive long-term changes in developer behavior by prioritizing developer speed and automating and delegating security governance.
About the authors
Jeremy Bergsman is an IT practice leader at CEB, now Gartner. He oversees CEB's Leadership Councils serving heads of enterprise architecture and heads of information security, as well as the CISO Coalition. Daria Kirilenko is associate director for information risk at CEB, now Gartner.