4 Ways to Improve Governance in Product Security

Security is all about closing gaps—between attacker tactics and your defensive capabilities, for instance, or the known and unknown user identities in your cloud infrastructure. An important gap that too many organizations overlook actually starts at the top, between the business and the technical approaches to governance in cybersecurity.

With one side focused on the risks to the business and the other consumed with the technical—especially in a fast-paced DevOps environment—they sometimes can work at cross-purposes. The result can be a situation where companies are not able to assure customers of the security of their products, which could threaten their business.

What is missing is an end-to-end, traceable and repeatable model that provides the business side of the organization assurance that what the IT side is working on also offers value both in terms of speed and helping to manage risk. A more unified approach to governance, in which the business and technical sides of the organization have a mutual understanding and a unified set of goals, can close the gap and give stakeholders stronger assurances, but first, both sides need to get on the same page.

Unified Governance for All

Cybersecurity is, obviously, vitally important from a business perspective. Companies are increasingly going digital in cloud-based environments and looking to form partnerships to broaden their business. But how can you do business if you can’t provide assurances to stakeholders, be they customers or partners, about the security of your product? The answer lies in bringing software development, security operations and business teams together.

Here are four key areas where organizations can focus their governance efforts to achieve a working balance between technical issues and value to the business.

Risk Management: This is a critical area, though implementing a unified approach can be a challenge given the many varied functions—and sometimes conflicting priorities—within an organization. No risk factor exists in a vacuum, but instead must be measured within the interests of the organization as a whole. The collective risk from the product security domains must be analyzed and aligned with the enterprise risk management (ERM) framework.

Prioritizing Objectives: With many teams and stakeholders across an organization focused on their own goals and objectives, it is essential to prioritize those goals within the context of a company’s business strategy. Teams need to consider company policies, for example, while ensuring that security principles are not violated. A more comprehensive approach among all parties can help ensure, for example, that the metrics the IT security team gathers today are viewed within the context of business priorities.

Challenges: Attack vectors and techniques are constantly changing, which puts pressure on organizations to regularly refine their own approaches to minimizing attacks on their products and maintaining a better risk posture throughout their life cycles. Organizations can combine techniques such as establishing best practices while conducting periodic audits and assessments to help keep their products secure. They also need to continually look at how they can improve their security practices, which can be a good way to bring the technical and business sides together.

For example, they can focus on improving the strengths in the DevOps pipeline (such as continuous testing and refinement of software) by injecting a more business-oriented mindset into these historically technical processes. By bringing value stream thinking to agile processes, they might, say, question the efficacy of a six-week penetration testing exercise within the context of time-to-market. Can they do it in two weeks? A few days? It could also prompt them to question how much of the process can be automated. This kind of combined approach helps improve communication between the different teams within an organization while producing safer products.

Opportunities: The technical competencies of cybersecurity are the foundation of an organization’s security posture and do a lot to inform its risk management policies. But improvements can work the other way, too. Technological advancements also are fueling business and process transformations, and IT security leaders could leverage them. For example, adapting solutions that streamline processes or computing resources that enhance data protection could ultimately help the business side of the organization.

In terms of threats and potential consequences, IT security and business interests are inseparable, since a company’s very lifeblood is at risk. In theory, those interests should always work together to produce safer products, but in practice, they too often focus on their own priorities. Businesses aiming to change that model have resources available, such as those from the SABSA Institute, the Open Group and SAFECode. New standards that will impact software development and governance are being developed by the Institute of Electrical and Electronics Engineers (IEEE) and the International Organization for Standardization (ISO). Businesses also could seek out an industry partner for help in mapping out a path to balanced software development that delivers more business value.

A governance approach that effectively combines the two brings the business into technology, and technology into the business. It brings teams closer, helping them to develop a stronger business model that they can use to generate future value, while at the same time improving an organization’s security posture.