Recently, I moderated round table discussions between dozens of CISOs at Evanta CISO Summits in Chicago and Atlanta. My colleague, Michelle Dufty, moderated a similar event in San Francisco.
The purpose of the sessions was to have an authentic conversation about the emerging practice of DevSecOps and explore the following unconventional idea:
CISOs can reduce risk and significantly improve an organization’s IT security posture by shifting more of their resources to the beginning of the digital supply chain (playing offense) — rather than over-investing resources at the end of the digital supply chain (playing defense).
To help foster dialog, we asked participants to share a perspective on two things:
- How can CISOs become better partners to software developers and others who are responsible for driving digital innovation?
- How can front line software developers become better partners to CISOs in regards to reducing risk and improving enterprise security?
Our sessions were attended by 45 CISOs, hailing from a variety of public and private industries, such as communications, finance, insurance, manufacturing, retail, transportation and government. The mix gave us insight into how different verticals think about DevSecOps and highlighted how, regardless of industry, “AppSec” is an area that is garnering more attention from CISOs.
By a show of hands, approximately 30% of the CISOs in attendance indicated that they were actively working to “shift left” and find ways to collaborate more effectively with development colleagues responsible for building software at the beginning of the digital supply chain. Conversely, approximately 70% of the CISOs in attendance indicated that a vast majority of their time and energy remains focused on traditional initiatives designed to secure the enterprise perimeter and defend assets at the end of the digital supply chain.
By themselves, these findings are not surprising. The concept of DevSecOps is still very much in the early days, and with so many other priorities on their plate, many CISOs simply haven’t had time to think about how improved application security hygiene upstream — can dramatically reduce risk in downstream production environments. That said, it’s also clear that a growing number of CISOs now view the early stages of software development as a high priority piece of their overall security puzzle.
Three Lessons Drawn from Our Discussions:
1. Silos often exist between developers and security professionals, but not always.
Silos between software development, application security, and IT operations teams often exist in large enterprises — but are less prevalent in smaller engineering teams. In larger enterprises, these silos tend to create friction and diminish the pace of software innovation.
In smaller organizations where a single executive is responsible for both development and security — and in larger organizations where CISOs have a professional background in building software, there tends to be less friction between development and security.
Regardless of an organization’s size, when a CISO has prior experience as a software developer, they tend to have a balanced approach to offense vs. defense. Not only do they understand the critical importance of “playing defense” with advanced perimeter security — but the CISO also recognizes the importance of “playing offense” by building security into every application without slowing down innovation.
2. More CISOs are embracing software composition analysis tools to automate open source governance.
As the application security market continues to mature, more organizations are embracing software composition analysis (SCA) tools to automatically govern their use of open source and third-party libraries flowing through their software development lifecycles.
In fact, Gartner recently released a report titled, “Technology Insight for Software Composition Analysis.” The report makes clear the importance of having a resilient software supply chain supported by SCA. Specifically, Gartner recommends the following:
Organizations should mitigate risk by hardening their software supply chains. This includes an examination of both internally and externally sourced code (and supporting scripts, configuration files and other artifacts) and the creation of an internal repository of trusted components. It also includes governing the use of external repositories.
Gartner also places importance on a software bill of materials, stating:
By 2024, the provision of a detailed, regularly updated software bill of materials by software vendors will be a non-negotiable requirement for at least half of enterprise software buyers, up from less than 5% in 2019.
By 2024, 60% of enterprises will automatically build a software bill of materials for all applications and services they create, up from less than 5% in 2019.
3. CISOs agree: it’s a good idea to get a grip on open source risk.
Open source components have become the miracle drug of choice powering DevOps and modern software innovation — while these parts play a vital role in driving innovation and powering the world as we know it, not all of these parts are created equal; and all of them are borrowed from third party sources with unknown provenance. Thus, nearly 100% of CISOs participating in our recent discussions agreed that it is important to govern risk associated with third-party open source libraries.
We’ve all heard the old adage: “Offense wins games. Defense wins championships.” Modern IT organizations committed to winning through accelerated software innovation are shifting more of their security resources further left. In this way, they can play better offense at the beginning of the digital supply chain — while still playing strong defense at the end of the digital supply chain.
A version of this article originally appeared on The New Stack.