If you want to drive change, you have to know how to motivate people.
- Security isn’t just a technical issue; it’s an organizational and human issue, says Atlassian Chief Trust Officer Adrian Ludwig.
- To create resilient systems, developers and security teams need to realize their shared objectives.
- Personalize training so execs and team members understand how security risks impact their sections of the business.
- All security teams should prioritize addressing technical debt and reducing complexity in 2022.
David Balaban, a cybersecurity researcher and journalist, contributed the following article to Forbes.
The human factor is often thought of as a weak link in every organization’s security posture, and that’s a far cry from a misconception. Phishing attacks capitalize on “cognitive payloads” that dupe not-so-vigilant personnel into slipping up. Developers’ blunders due to time pressure or fatigue leave loopholes in code that play into attackers’ hands down the road.
This isn’t a complete list, but guess what? The gap between weaknesses and strengths isn’t that hard to bridge. In the organizational context, all it takes is a people-centric style of doing security in which empathy and frictionless teamwork play a crucial role.
Although this approach is a paradigm shift for many orgs, it’s attracting more and more aficionados across the IT ecosystem. Adrian Ludwig, the Chief Trust Officer at Atlassian, has advocated it throughout his bright career in security. He believes it will be key to building resilience in 2022, whereas boiling protection down to technical controls alone is a fallacy.
“We’ll begin to realize that security is not just a technical problem; it’s an organizational and human problem. As an industry, we’ve learned that it’s not enough to mandate security protocols and increase training. Instead, security teams will need to exercise empathy in order to better understand developers’ top concerns and motivating factors,” says Adrian.
Security is a shared responsibility
The relationship between security and software engineering departments in many companies is fairly strained. That’s because their goals and incentives don’t overlap; moreover, the interests of one team may be at odds with those of another. Developers prioritize creating systems on schedule and frown when the need to comply with security protocols prevents them from reaching critical milestones. Security staff, in turn, concentrate on minimizing incidents and are often overwhelmed with work to address vulnerabilities that software makers left behind.
This natural confrontation is risky business as it compels any organization into prioritizing low-hanging fruit. To avoid going beyond the point of no return, you need to build a work environment with empathy and seamless interoperability at its core. Security must “shift left” far enough in the development pipeline to make sure that the resulting code is both reliable and tamper-proof.