Operations

3/7/2018
10:30 AM
Ayman Sayed
Ayman Sayed
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Security-Driven Companies Are More Successful

Software Security Masters are better at handling application development security and show much higher growth than their peers. Here's how to become one.

Strong revenue streams, adoring customers, and inspiring leaders are the usual hallmarks of a well-run business. When investors look to new companies to support, these factors are the ones that show whether a business will succeed or fail. Recently released research shows that business analysts should add one more: secure software.

A Freeform Dynamics survey (commissioned by CA Technologies) discovered an elite class of businesses that have ingrained security into their operations — deemed "Software Security Masters." They make up approximately one-third of the enterprises surveyed and include those that are better at handling application development security.

These Software Security Masters are more likely than their mainstream peers to see effective security as an enabler of increased business performance. This manifests itself in the form of superior metrics and outcomes in relation to software delivery. It is no coincidence that these organizations are seeing 40% higher revenue growth and 50% higher profit growth than their mainstream peers.

So, how do businesses tap into the benefits these Masters are seeing?

The trick is to make security a part of the DNA of the business and its operations. When businesses fall on hard times, executives turn to cut budgets on apparent luxuries, which they may imagine include security. This approach only helps in the short term as it creates a debt of security problems that will need to be fixed later.

Take a look at vulnerabilities from the chip manufacturers in Spectre and Meltdown — vulnerabilities that go back 20 years, despite only being discovered this year. These chips were developed based on a certain set of organizational priorities — processor speed and frequent deployments to outpace Moore's Law — with little or no concern for security.

Organizational culture has an influence on how priorities — which are driven by executives who dictate what matters to them — are executed. If executives see security as a core part of their business, they will avoid accruing this debt and instead look for ways to speed up application development processes because of, not despite, security.

But a successful Security Mastery movement needs to empower more than just executives to look at security differently. Full integration includes the developers. Once they see security as an important part of their organization, they can start to take responsibility for the security of their own code.

The benefits of security integration throughout an entire business allows companies to become more efficient across the board. Shifting security "left" in the development process takes the strain off quality assurance teams that no longer need to identify and fix basic vulnerabilities. Instead, they'll be able to use that time to get updates to customers faster and improve application performance.

With delivery life cycles shortening, it is essential that security becomes embedded into every step of the software life cycle: requirements, gathering, design, code creation, deployment, and operation. Special attention should also be paid to continuous testing capabilities at every step. In order to inject security into the DNA of the DevOps teams, organizations must know the point from where they are starting and begin with a thorough assessment of their current capabilities, strengths, and weaknesses.

Security Mastery is not so much a series of processes as it is an organizational mindset. While the size of this group of Masters may seem random, it appears to be a theme across other areas of innovation as well. Other surveys in this series found similar sized groups of Masters in other areas and elements of application development, such as automation and the ability to respond quickly to changing demands. Overall, it reflects how adopting a mindset of agility in the development life cycle can lead to great results, not only for the end product but also for the whole business.

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ayman Sayed is President and Chief Product Officer at CA Technologies, responsible for the strategy and development of the company's full portfolio of Enterprise products and solutions. His mandate is to focus on building a differentiated product portfolio meant to help CA ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Privacy Ops: The New Nexus for CISOs & DPOs
Amit Ashbel, Security Evangelist, Cognigo,  2/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8955
PUBLISHED: 2019-02-21
In Tor before 0.3.3.12, 0.3.4.x before 0.3.4.11, 0.3.5.x before 0.3.5.8, and 0.4.x before 0.4.0.2-alpha, remote denial of service against Tor clients and relays can occur via memory exhaustion in the KIST cell scheduler.
CVE-2019-1698
PUBLISHED: 2019-02-21
A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External E...
CVE-2019-1700
PUBLISHED: 2019-02-21
A vulnerability in field-programmable gate array (FPGA) ingress buffer management for the Cisco Firepower 9000 Series with the Cisco Firepower 2-port 100G double-width network module (PID: FPR9K-DNM-2X100G) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) conditio...
CVE-2019-6340
PUBLISHED: 2019-02-21
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RE...
CVE-2019-8996
PUBLISHED: 2019-02-21
In Signiant Manager+Agents before 13.5, the implementation of the set command has a Buffer Overflow.