There is a collaborative dissonance between development and security, one that impacts organizations across industries by fragmenting security, stifling cohesion and delaying software development cycles.
Even though organizations expect developers to play an important role in security strategizing, fewer than half of developers and 38% of security professionals agree developers are actually planning security strategies. Organizations exclude developers from planning security strategies they will ultimately expect them to execute. Further exacerbating the divide, one-third of decision makers have not effectively strengthened relationships between security and development teams.
These numbers come from Forrester Consulting’s recent VMware-commissioned study, “Bridging the Developer and Security Divide,” which highlights this misalignment between teams and its detrimental organizational effects. Leaders have long recognized the divide and its consequences but have lacked hard data on what has remained a soft topic. Now, after surveying nearly 1,500 IT, security and development decision makers, the Forrester study offers leaders just that: A data-driven illustration of the gaps between developers and security professionals, and tangible recommendations for bridging them to improve business outcomes.
To bridge the divide, leaders must create a shared culture with shared metrics
At its core, the Forrester study urges leaders to break the siloes separating security and development, allowing for collaboration and cross-pollination as these teams co-create the tools to implement security early in the development cycle.
To capitalize on the study’s recommendations, leaders must foster organizations in which development and security teams share measurable performance metrics. Developing collective goals and a common culture within these teams requires the following:
- Embedding security skills into DevOps
- Building better relationships
- Making the right choice easier
Sharing metrics, culture and goals across teams ultimately leads to more secure application development, increased agility and speed, and continued compliance. Additionally, leaders must invest the funds to make this new cooperation work. For example, management may have to extend deadlines for new releases to make sure the dev teams meet essential security goals. Even though delays may incur extra costs and add hours to time-sensitive projects, establishing secure code as paramount helps drive future process and tool improvements through collaboration that pays off in the long run.
“Bridging the Developer and Security Divide” provides the following recommendations, among others, to help leaders improve relationships and outcomes.
Recommendation 1: Integrate security into development teams and empower developers to be involved in security decision-making process
According to “Bridging the Developer and Security Divide,” 45.1% of developers believe they are involved with security planning, while a significantly lower percentage of security professionals (37.8%) indicated they involve development teams. These numbers reveal a troubling truth for developers: They are even less involved in security strategy planning than they think they are.
More than 80% of dev managers noted they were impacted by typical security-related policy decisions, such as application firewalls and workload security configurations, yet about half reported not being involved in the policy-making process. This discrepancy reflects the siloed nature of organizations’ security strategies and further deteriorates trust between teams. To combat this, leaders must encourage collaboration between security and development so that policy requirements translate into implementations that are workable for everyone.
Organizations can do much more to integrate security into the workflow of development teams. Only 22% of developers have a clear understanding of the security policies with which they must comply, leaving them confused about their security task responsibilities. To foster compliance and agility, don’t require developers to translate policy. Set time for teams to create procedures and tools that effectively incorporate policy measures into the development workflow, making security a natural element of daily routine.
Recommendation 2: Make the term “cross-functional” live up to its definition
Typically, security and development do not share a common background, purpose or even language. Security prevents and mitigates vulnerabilities while development works to rapidly deliver business-enabling applications. Security professionals emerge from very specific security roles, and developers are often software engineers. Their IT orientation and worldview are entirely different.
Yet organizations expect cohesion when these teams collaborate, even though only 38.4% of developers believe they are thoroughly educated about the security procedures they’re expected to execute. For example, the Zero Trust framework built around concepts like “never trust, always verify” and “assuming breach”— situates development and security around a simple strategic orientation that serves as a foundation for further collaborative work. Leaders must teach developers about security in a language they understand and build a shared framework that articulates procedures.
Recommendation 3: Build trust between teams
Zero Trust is a security strategy, and companies must build as much trust as possible among development and security to make it work. Some encouraging progress has already been made: Over half (58.1%) of respondents indicated it is a critical or high priority to drive collaboration and alignment between the security and development teams, and 72.5% agreed that their senior leadership focuses more on strengthening the relationship between development and security than it did two years ago.
There are still gaps to bridge, however, as less than half (45%) of all respondents believes their organization clearly defines responsibilities across development, security and IT teams.
Here, again, metrics are key. Organizations should share key performance indicators (KPI) across teams, effectively using math as a clear and rational tool to communicate shared goals and responsibilities, building trust to help teams better collaborate and co-create.
Shared KPIs, accompanied by the skills to incorporate process improvement into the workflow, could include accelerated release velocity, reduced security incidents and decreased mean time to patch/update. Going on the premise that we manage what we measure, KPIs around accelerated release velocity balanced with reduced vulnerabilities can set the baseline for collaboration between security and development teams that leads to improved dev cycles and more secure deployments. This establishes a solid foundation for early wins and future improvement.
Recommendation 4: Automate to help people fulfill their roles
IT leaders know there is a bottleneck in the developer pipeline — indeed, more than 70% of organizations report a great need for developer hires they simply cannot fill. Shortages in developer resources strain existing resources, stifling collaboration and communication.
Automating security processes and integrating systems that bake in security from the start can help free up developers’ valuable time to focus on core responsibilities, integrating more into security strategy and execution, and building relationships across teams. By freeing up time for overburdened development teams, automation strengthens human relationships and unifies functions.
Be the catalyst for future success by bridging the divide
Security and development teams with positive relationships can complete the software development life cycle five business days faster than teams with negative relationships, and leaders are responsible for bridging the divide between them. Bridging that gap unites teams and improves business outcomes, including:
- More secure applications
- Increased agility and speed
- Continued compliance
It’s time to alter the way employees share security accountability and drive a common culture across all parts of the business. Download the full study, “Bridging the Developer and Security Divide,” for a data-driven assessment of far your organization may be from that goal and gather actionable ideas for how to unite your developer and security teams.
