Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

3/7/2018
10:30 AM
Ayman Sayed
Ayman Sayed
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Security-Driven Companies Are More Successful

Software Security Masters are better at handling application development security and show much higher growth than their peers. Here's how to become one.

Strong revenue streams, adoring customers, and inspiring leaders are the usual hallmarks of a well-run business. When investors look to new companies to support, these factors are the ones that show whether a business will succeed or fail. Recently released research shows that business analysts should add one more: secure software.

A Freeform Dynamics survey (commissioned by CA Technologies) discovered an elite class of businesses that have ingrained security into their operations — deemed "Software Security Masters." They make up approximately one-third of the enterprises surveyed and include those that are better at handling application development security.

These Software Security Masters are more likely than their mainstream peers to see effective security as an enabler of increased business performance. This manifests itself in the form of superior metrics and outcomes in relation to software delivery. It is no coincidence that these organizations are seeing 40% higher revenue growth and 50% higher profit growth than their mainstream peers.

So, how do businesses tap into the benefits these Masters are seeing?

The trick is to make security a part of the DNA of the business and its operations. When businesses fall on hard times, executives turn to cut budgets on apparent luxuries, which they may imagine include security. This approach only helps in the short term as it creates a debt of security problems that will need to be fixed later.

Take a look at vulnerabilities from the chip manufacturers in Spectre and Meltdown — vulnerabilities that go back 20 years, despite only being discovered this year. These chips were developed based on a certain set of organizational priorities — processor speed and frequent deployments to outpace Moore's Law — with little or no concern for security.

Organizational culture has an influence on how priorities — which are driven by executives who dictate what matters to them — are executed. If executives see security as a core part of their business, they will avoid accruing this debt and instead look for ways to speed up application development processes because of, not despite, security.

But a successful Security Mastery movement needs to empower more than just executives to look at security differently. Full integration includes the developers. Once they see security as an important part of their organization, they can start to take responsibility for the security of their own code.

The benefits of security integration throughout an entire business allows companies to become more efficient across the board. Shifting security "left" in the development process takes the strain off quality assurance teams that no longer need to identify and fix basic vulnerabilities. Instead, they'll be able to use that time to get updates to customers faster and improve application performance.

With delivery life cycles shortening, it is essential that security becomes embedded into every step of the software life cycle: requirements, gathering, design, code creation, deployment, and operation. Special attention should also be paid to continuous testing capabilities at every step. In order to inject security into the DNA of the DevOps teams, organizations must know the point from where they are starting and begin with a thorough assessment of their current capabilities, strengths, and weaknesses.

Security Mastery is not so much a series of processes as it is an organizational mindset. While the size of this group of Masters may seem random, it appears to be a theme across other areas of innovation as well. Other surveys in this series found similar sized groups of Masters in other areas and elements of application development, such as automation and the ability to respond quickly to changing demands. Overall, it reflects how adopting a mindset of agility in the development life cycle can lead to great results, not only for the end product but also for the whole business.

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ayman Sayed is President and Chief Product Officer at CA Technologies, responsible for the strategy and development of the company's full portfolio of Enterprise products and solutions. His mandate is to focus on building a differentiated product portfolio meant to help CA ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5798
PUBLISHED: 2019-05-23
Lack of correct bounds checking in Skia in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
CVE-2019-5799
PUBLISHED: 2019-05-23
Incorrect inheritance of a new document's policy in Content Security Policy in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5800
PUBLISHED: 2019-05-23
Insufficient policy enforcement in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5801
PUBLISHED: 2019-05-23
Incorrect eliding of URLs in Omnibox in Google Chrome on iOS prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
CVE-2019-5802
PUBLISHED: 2019-05-23
Incorrect handling of download origins in Navigation in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.