As technology has become integral to company performance and competitiveness, both digital transformation and cyber security are now seen as the cornerstones of growing successful businesses. This technology-centric focus means there is an increasing need for engineering and security teams to work together closely to improve the implementation of technology across a company. The introduction of agile security approaches can help engineering teams implement this process more quickly and smoothly. While there are challenges to this new approach of working, businesses will reap significant benefits from security and technology delivery teams working collaboratively.
Digital transformation is now a key component of business strategy as organisations seek a larger impact from investments in digital technologies in order to stay relevant and ahead of the competition. From flexibility and customer experience, to continuous improvement and increased agility, businesses are looking to enhance their capabilities as well as reap the benefits and cost-savings of digital transformation. For this reason, CEOs are prioritising growth and speed of innovation as their main objectives. At the same time, the importance of cyber security has increased with C-Suites investing heavily in protection for their company and assets. This must be carefully balanced with the need to ensure they are offering the best available services or products to their customers.
While the engineering team seeks to help the business innovate quickly and move on from slow legacy IT systems with new technology, cyber teams must manage the businesses cyber risk appetite and look to mitigate the likelihood of attack and breach.
Historically, these differing objectives have led to conflict as each team has looked to deliver the best outcome for the business. A lack of communication and understanding of each other’s objectives has impeded the implementation of new technology and caused significant delays and compliance issues.
With engineers feeling restricted by the requirements and processes that have been placed upon them, there has been a surge in the number of unauthorised applications and systems being used to get work done. Not only does this bypass the requirements of the cyber team which are designed to protect the business, but it can cause considerable compliance issues. While shadow IT may begin with small pockets of employees, the problem can easily become widespread across teams. Easily deployable technologies such as SaaS and cloud services have only aggravated the issue of shadow IT, leading to more vulnerabilities for the cyber teams to mitigate.
As businesses continue to innovate, new technologies will be continually deployed into the enterprise, which will require the cyber team to be involved in the delivery of these technologies. In turn, this demands better understanding and collaboration between the cyber and engineering teams.
Businesses have come a long way in addressing these issues and breaking down barriers between the two groups. Decisions cannot continue to be made separately from one another so businesses should align both team’s efforts under a joint strategy and operation. This shift in approach means that engineering and cyber teams are working closer than ever before in helping businesses deliver innovation. By ensuring there is open dialogue and a clear line of communication, teams are finding it easier to share ideas and mitigate issues. Understanding what is required for both teams to fulfil their roles has helped the two sides prioritise work more efficiently.
Education is key
The most important factor in developing this collaboration has been education. Historically, when it came to a security test for example, engineering teams would send the new system to the cyber team who would then undertake security testing. The cyber team would then provide engineering with extensive lists of vulnerabilities for engineering to fix themselves before entering a second round of testing. This approach was slow, time consuming and ultimately inefficient.
To combat this, it is becoming common practice for security teams to provide in-depth education on cyber security to engineering teams on a regular basis. Demonstrating common attack scenarios and teaching the basic principles of secure coding can help both teams work together to introduce security approaches into the software development cycle. Moving forward, cyber teams are now able to bring secure development lifecycle methodologies and deploy security testing tooling into the Continuous Integration (CI) pipeline. This can provide automation to security testing and embeds security architects and engineers into the delivery teams.
These developments are part of a wider shift to agile ways of working for the cyber team across the digital transformation agenda. Business efficiency will be greater without any delays, miscommunication or compliance problems. Importantly, this shift will reduce the risk of breaches as new innovations are deployed. Ultimately, bringing agile security to the transformation agenda will lead to increased competitiveness, reduced costs and better manage the continual evolution of cyber risks for businesses now and in the future.
David Webb, CEO, 6point6