If security is a team sport, why is security still a specialization for many organizations?
VMware commissioned Forrester Consulting to explore the current state of the IT, Security, and Development relationship dynamics in the recently released thought leadership paper, ‘Bridging the Developer and Security Divide.’
The problem – tech teams are misaligned
As security professionals work to secure their organizations, developers are often left out of the security planning processes but are then tasked with carrying out those procedures—further complicating an already strained interaction.
Only one in five developers strongly agree that they understand which security policies they are expected to comply with, while alarmingly, more than half of the developers surveyed are not involved at all in security policy decisions, despite many of these greatly impacting their roles.
Organizations where security and development teams have a positive relationship can speed up the software development lifecycle by five days per release compared to those without – demonstrating how speed to market and competitive advantage are at stake here.
Nearly three-quarters of respondents agreed that their senior leadership focuses more on strengthening the relationship between development and security teams than they did two years ago, but relationships are still strained. In fact, one in three decision makers reported their organizations’ teams are not effectively collaborating or taking strides to strengthen relationships between security and development teams. Lack of role definition for development teams, lack of communication between teams and competing priorities have major impacts on collaboration.
Security needs a perception shift
With security still being perceived as a barrier in organizations, and 52% of developers believing that security policies are stifling their innovation, there’s a wider perception shift needed across organizations’ tech teams. Rather than be seen as the team that only swoops in to fix breaches and leaks, or who ‘gets in the way’ of innovation, security should be embedded across people, processes, and technologies.
Security needs to be a collaborative effort that works alongside IT and developers to ensure protection across clouds, apps and all digital infrastructure – and this requires building a culture where all teams have shared interests and common goals or metrics, and where they speak a common language. There’s overwhelming value to the business when IT, security, and developers are all part of the decision making, design, and execution.
Reaping the rewards
Shared team priorities and engagement will pave the way forward and there’s already progress being made on this front. Interestingly, more than half of respondents expect security and development teams to be unified within three years. And 42% expect security to become more embedded in the development process during that same period. There’s a broader acknowledgment that cross-team alignment empowers businesses to reduce team silos (71%), create more secure applications (70%) and increase agility to adopt new workflows & technologies (66%).
The study provides key recommendations including:
- Have a strong vision from the top to reduce competing priorities and empower teams with the tools and processes they need
- Embed security advocates into development teams rather than pushing security down from the top
- Speak a common language with developers to ease friction between teams
This is only a highlight of the compelling findings in the new Forrester study. Download and read the full “Bridging the Developer and Security Divide” for all the detailed insights!