5 key challenges when building a security training program

By Márk Félegyházi (Avatao CEO)
Let’s face it: the main objective of software developers is to ship code and ship it fast. They primarily care about committing features to production which have the largest short-term impact on users.To build a successful enterprise security program, it’s helpful to go back to the well-known fundamentals of organization change: People, Process, and Technology. These ideas originated from Harold Leavitt’s “Applied Organization Change in Industry”, and any successful strategy should focus on transforming these three areas. However, different leaders have different ideas about where to focus their efforts.

In this post, we advocate transforming People Operations. Of the three basic pillars, it may be the most difficult, but it is also the most rewarding. Unfortunately, due to the difficulty of quantifying results and long feedback cycles before benefits are seen, most leaders tackle the problems backwards, starting with Technology and saving People for last.

The first line of defense

While people may be the primary source of errors and vulnerabilities, they are also our first line of defense against cybersecurity threats. Even if they are using the most sophisticated technology, it’s always people behind the technology who discover when something goes wrong. For example, see the FireEye and SolarWinds attacks.

Traditionally, security concerns have been relegated to security teams. In a well-rounded enterprise security program, however, this responsibility should extend to every employee. More and more businesses are depending on the security and proper usage of their software products; this makes secure coding training for developers an essential part of any comprehensive security program.

The most common challenges businesses may face

Building a security program has never been easy, and there is a huge number of factors to consider when doing so. While it may seem like a fruitless struggle, the outcome is always worth the effort. There are several challenges you’ll come across when developing a security program, so we’ve collected some of the most common ones you should be aware of.

1. Developers care about speed

Let’s face it: The main objective of software developers is to ship code as fast as possible without breaking the whole product. Developers care about committing the features to production that makes the most short-term impact on users.
By now, however, most developers understand that software development is a marathon, not a sprint, where the product has to be built up step-by-step. Hasty planning and a rush to ship code in a few sprints can lead to a build-up technical and security problems. While these might not be huge problems in the short term, any product built on weak foundations will eventually collapse under scale and pressure. Software developers are aware of this reality in case of testing or code optimization, but less so when it comes to security.

2. Developers lack security education and training

Testing is now an important part of any computer science curriculum. Unit tests, integration tests, and TDD in general have become commonly accepted best practices for high-quality software development. But the same is not true when it comes to secure coding training. Cybersecurity education is still lacking in many universities around the world, and computer science students aren’t learning the skills they need in this area.

3. Security training is considered a necessary evil

Training, especially company-driven training, is an activity where the feedback and results only show up after a significant delay. Very few people are dedicated enough to work day-by-day on consistently improving their skills, and most developers believe that on-the-job experience will lead them forward. Trainings organized by companies are considered an annoyance, a necessary evil that takes time away from their daily job.

4. Security is a gateway function that blocks modern DevOps processes

Security is often considered an obstacle that hinders people from doing their job. It’s kind of like the early days of seatbelts: people considered them a nuisance for limiting the free range of movement while driving. In the same way, developers often believe visible guardrails and security tools lead to pointless cycles of programming that prevent them from shipping a product at full speed.

5. Misalignment of responsibilities

While many developers have a strong sense of responsibility and ownership over their code, some simply do not care if their code is high-quality or not. If processes allow them to slack, these developers may sacrifice long-term stability for short-term speed. And since many developers aren’t directly responsible for the mistakes they make, it becomes easier to optimize for speed over quality.

Conclusion

Awareness of the importance of security training is on the rise, but it still has a long way to go. It is often seen as a roadblock that slows down the workflow, but like we mentioned, the long-term benefits of security training are clear. Just like any process related to products and services, security needs to be built on a strong base. Training is an essential part of the foundation of any successful security program. Just remember that even if it seems to derail day-to-day work in the beginning, incorporating proper security training will improved code quality and overall security. Stay tuned for our next post where we’ll discuss some best practices around how to implement training in your security program!

Related Articles

JWT handling best practices

JWT handling best practices

The purpose of this post is to present one of the most popular authorization manager open standards JWT. It goes into depth about what JWT is, how it works, why it is secure, and what the most common security pitfalls are.

Ruby needs security

Ruby needs security

Every year, Ruby is becoming more and more popular thanks to its elegance, simplicity, and readability. Security, however, is an issue we can’t afford to neglect.

Python best practices and common issues

Python best practices and common issues

Python is a high-level, flexible programming language that offers some great features. To be as effective as possible, it is important to possess the knowledge to make the most out of coding with Python.