Only a third of developers truly understand the security policies they work with

Robust security policies are critical to the safety of companies — not just for the systems in which their data are stored, but also for their staff.

As such, the relationships between the development and security teams have a major impact on organizations, especially in terms of benefits. 

They include increased collaboration, more secure applications, increased agility, and continuous compliance. Security teams also need to rethink their processes to further embrace the teams they support.

However, as security professionals work to create a secure environment for organizations, developers are often left out of security planning processes. Unfortunately, developers, instead, are tasked with carrying these procedures out. 

The development-security divide

Due to this typical arrangement, a fractured relationship between development and security arises. 

While senior leaders are more focused now on development and security relationships, a Forrester report showed that one in three leaders do not effectively collaborate or work to strengthen relationships. 

Commissioned by VMware, the report, titled Bridging The Developer And Security Divide by Forrester Consulting sought to evaluate the relationship between IT, security, and development teams, and how organizations are working to ensure a strong security posture via Zero-Trust.

Key findings affecting security policies

The survey polled 1,475 respondents, with five interviews with IT, security, and development managers and above (including CIOs and CISOs) with responsibility for development or security strategy decision-making to explore how the divide between developers and security teams can be bridged.

It was found that, despite efforts, teams continue to struggle with negative relationships and a lack of empathy while often failing to include development teams in security strategy and planning.

Aside from negatively affecting the overall security policies of companies, the gap between these teams has far deeper implications and effects on the individuals within them. 

Firstly, 45.1% of developers believe they are involved in planning. However, only 37.8% of security professionals include these developers in strategy planning. 

Development teams are often heavily impacted by the applications and tools chosen by the security team, as they are not involved in the decision-making process. 

But what’s very worrying is that only one in three (38.4%) developers reported that they are thoroughly educated on the security procedures they are expected to execute.

This indicates that the remaining developers do not go through the proper educational process for newly updated security policies within their organization. 

To make it worse, when handling workload protection, 29.1% of development teams are not included in the decision-making — even though this decision can affect up to 92.5% of their daily work. 

Additionally, 52.4% of developers felt that security policies sometimes stifle innovation. 

Fixing mindsets

According to VMWare, this disconnect between security teams and software developers hinders initiatives like Zero Trust implementation and securing the cloud. 

Zero-trust is a “never trust, always verify” security model that acknowledges every device on the network as a threat. As such, every point of entry will require identification and authentication, boosting the security profile of the system.

As such, it is imperative that organizations try to improve collaboration between developers and security teams to beef up their security policies.

“Our research shows that security needs a perception shift,” said Rick McElroy, principal cybersecurity strategist, VMware. 

“Rather than be seen as the team that only swoops in to fix breaches and leaks, or who ‘gets in the way’ of innovation, security should be embedded across people, processes, and technologies”, he added.

McElroy also believes that security needs to be a team sport and that a culture where all teams have shared interests and common goals or metrics, and where they speak one language — is developed.

“There’s overwhelming value to the business when IT, security, and developers are all part of the decision making, design, and execution.”

Bridging the divide for better security policies

Shared team priorities and engagement will pave the way forward — but thankfully, there’s already progress being made on this front. Over half of respondents expect security and development teams to be unified within three years, and 42% expect security to become more embedded in the development process in that same period. 

There’s a broader acknowledgment, too, that cross-team alignment empowers businesses to reduce team silos, create more secure applications, and increase agility to adopt new workflows & technologies.

Overall, VMWare suggests that organizations take three approaches to ameliorate this. The first is to involve developers in security planning as early and as often as possible. 

The second is to “speak the language” of the development team, instead of the other way round. 

Thirdly, KPIs should be shared and communication increased to improve relationships. Lastly, security should be automated where it can to improve scalability.