Engaging business units in security governance: Why everyone should be concerned
The idea that security is everyone’s business is a familiar refrain. But as enterprises look to combine the speed of software delivery with both cybersecurity and business value, they need to incorporate the idea that business is everyone’s business too. When talking about governance with regard to software development and security, you cannot ignore the business.
Security governance typically operates at two levels. The first involves business executives who recognize the importance of security and privacy, but who are focused on delivering value to customers. The second involves teams focused on meeting executives’ needs by focusing on the pieces of making that happen, from technical processes to hiring and other factors. But those two levels don’t always interact in a way that delivers value to the business.
What’s missing is a complete, end-to-end, traceable and repeatable model that provides assurance to the business that the work being done is in fact offering value both in terms of speed and in helping them manage the risk.
DevOps, with its methodology of continuous development and delivery, has greatly accelerated the rate at which software is put into production. Bringing security into the mix from the start of development—DevSecOps—is gaining traction in a number of industries as a way to ensure that security isn’t overlooked in the pursuit of speed. However, DevOps is all about technical issues—how many releases are made daily, what types of vulnerabilities are found and fixed, and so on. A lot of the automation that is essential to DevOps focuses on those types of issues, bugs, etc.
But enterprises need to ensure that business needs don’t get left out of the process, either.
A team may be able to fix a problem with its software, for example, but if it has no impact to the company’s overall goals, no value is actually generated. Businesses need a balanced approach to development that ensures that software is delivering value as well as meeting security and privacy requirements.
When addressing the question of governance, they need to start with a concrete understanding of business value, which can somewhat differ across industries. The priorities of a financial services firm, for instance, could differ from those of a software development company. They need to determine what provides the best value to customers in terms of, say, speed, brand image, or compliance.
Once business value is determined, they need to define how to convert those business values into value streams—the chunks of activity in the development process that are stitched together to create value for an organization by delivering what the customer needs. Each team working on a block of activity in the process might optimize activity for their own defined area, such as testing, but leave the next team with nothing to build on. Inserting business needs into the process can help keep the work focused.
Organizations looking to improve business value can start by focusing on three elements:
1. Bridge the gap between the metrics you’re gathering today and what’s important to the business.
2. Always look for ways to do security better. For example, how do you get six weeks of penetration testing down to two weeks or even a few days? How do you automate this as much as possible?
3. Build on your strengths in the DevOps pipeline. If continuous integration is an area of strength, build on it by integrating business needs into that process.
Actions such as these bring the business into the technology, and the technology into the business. They bring teams closer together, helping them to develop a stronger business model that they can then use to generate future value. If left undone, companies will not be able to assure customers of a strong offering.
Those assurances are becoming more important as companies expand via the cloud, through partnerships with other companies, and as states begin to establish strict privacy regulations. A company that does not have assurances for security, privacy and business value may have difficulty doing business at all.
Software development has come a long way in combining speed with functionality and, to a degree, security. But the best designed software isn’t much good if it doesn’t deliver business value to the customer and, by extension, the business itself.
Many companies currently have two camps: one focused on the technical and the other focused on the business and risk. And a gap exists between the two. Companies employing a DevOps approach can close that gap with a balanced approach to development that includes business value at each step along the way.
Businesses looking to improve their approach can draw on resources offered by the likes of the SABSA Institute, the Open Group and SAFECode, and should also keep an eye out for new standards being developed by the Institute of Electrical and Electronics Engineers (IEEE) and the International Organization for Standardization (ISO). An industry partner also could be extremely helpful in mapping out a path to balanced software development that delivers business value.