According to one recent study, disparities within such teams go against the adage that security is everyone’s responsibility.
In a March 2021, a survey of 1,475 IT, security, and development managers and above (including CIOs and CISOs in development or security strategy decision-making) was conducted to evaluate the role of security within development teams, team collaboration, security strategy, and Zero Trust DevOps pipelines.
Respondents were offered a small incentive as a thank-you for time spent on the survey.
With this disclosed, the survey found that while senior leaders in the survey were more focused now on development and security relationships, one in three did not effectively collaborate or work to strengthen relationships.
Other key findings include:
- 52.4% of developer respondents ‘agreed’ to prompts that security policies sometimes stifled innovation
- 45.1% of developer respondents believed they were involved in planning, but 37.8% of security professionals included these developers in strategy planning
- 29.1% of development teams in the survey were not included in decision-making. This could have affected up to 92.5% of their daily work
- 38.4% of developers in the survey reported that they were thoroughly educated on the security procedures they were expected to execute. The remaining developers may not have had proper training for newly updated security policies within their organization
The survey, commissioned by VMware Security, also included five interviews with directors and above in the roles targeted for study. Three observations made from the data include:
- Make sure security is no longer a specialization. Rather than a few individuals within the organization being responsible for security, security tasks should be embedded across people (teams), processes, and technologies.
- Build better relationships to yield faster releases. Security is everyone’s responsibility. Everyone has to be on board and collaborate across teams for the security tools and procedures the security team implements to be most effective, enhancing the security posture of the organization.
- Make the right thing the easy thing to aid innovation. With the adoption of cloud and other technologies that underpin modern applications (such as containers), developers are major drivers of business revenue. However, security challenges tied to cloud and containers still prevail. Survey respondents noted their top two most challenging tasks were “ensuring security in the cloud (78.6%)” and “securing workloads and containers (70.5%)”.
The report also indicated that when security is so simplified and accessible that development teams do not even realize it is there, it not only reduces business risks, but becomes a business enabler.