With the continuous stream of data breaches, network disruptions, and ransom attacks, we have collectively begun to become desensitized to cybersecurity incidents of all sizes.  Nobody wants to be the next headline in the news as the unsuspecting victim.  As a result, chief information security officers (CISOs) and security teams are under increasing pressure to secure vulnerabilities and prevent attacks.

Meanwhile, product teams and business managers are increasingly under pressure to make delivery commitments and meet deadlines. They don’t want to be in the news any more than their security colleagues.  However, priorities between the cybersecurity team and business teams are not always aligned.  Friction between mitigating security risks and making schedule deadlines often results in frustration and strained relationships. Keep reading for some approaches to bridge the gap between the cybersecurity team and business operations.

1. Speak the Same Language

Technical experts in different domains often encounter collaboration challenges due to the distinct jargon and terminology associated with their discipline.  Will software developers understand the output of a security scanning tool? Will InfoSec approvers understand the contents of an application log? 

Speaking the same language doesn’t mean turning your software developers into forensic analysts.  However, it does mean that they should study and learn cybersecurity best practices for applications in their industry.  The best engineers know how to think like an attacker so that they can design and build the right mechanisms to foil attacks. Conversely, your cybersecurity professionals should know and understand the fundamentals of system architecture and engineering.  To achieve this end, you might need to establish IT centers of excellence, partner tech leaders across disciplines, or even temporarily embed team members into cross functional areas.

Common language and understanding allows for substantive and meaningful engagements. It also fosters trust and credibility between teams for talking through requirements and constraints.

2. Start Early

The best mitigation for a potential vulnerability is to design it out of the system before it can be built-in. The security team is a key stakeholder to the project and their requirements should be included with business owner’s needs.  They should also be prioritized independently as part of the architecture runway. No completed iteration is truly deployable unless it is secure.

You never want to be in the position of absorbing re-work due to security vulnerabilities.  An even worse prospect is to be forced into reactive mode due to an ongoing attack. Start your security work as early as possible.

3. Plan for the Worst

Zero trust security teaches us to trust nothing and inspect everything. However, all the required scanning will for sure take up time in the project schedule. Not to mention the time to needed mitigate the scan findings. Factor in time to work the vulnerabilities out of your system with proper coverage.

4. Automate, Automate, Automate

Built-In Security

Integrate application security tools into your system value chain. These tools can be deployed early in your development cycle and provide the coverage needed to review modules and components for weak spots as they are being developed.  An important benefit, especially for government agencies, is that they can also save time by populating compliance documents with automatically detected security information and applied techniques.

Continuous Assessment

Integrate security configuration, testing, and validation into your CI/CD pipeline. This allows all teams to maintain ongoing awareness of compliance and vulnerability status. The real-time security data also provides for proactive management of vulnerability risk.

5. Organize Strategically

Is your organization properly staffed to deliver secure systems? Rapid delivery requires a complete engineering team staffed with information security experts. Without sufficient numbers, it’s common for the cybersecurity team to become overextended. Any approving entities must also be setup to review and adjudicate quickly. Review your allocations often and build up your cybersecurity team to keep pace with the flow of business.

Conclusion

As your organization evaluates risk and exposure to cyber attacks, remember that there will always be new threats that can impact a business of any size.  When your operations and cybersecurity teams are at odds, no one wins. It’s incumbent upon leadership to foster the right balance of priorities, digital solutions, and team collaboration.