News
Overcoming security barriers while improving speed to market
June 2021 by Altaz Valani, Director of Insights Research at Security Compass
Balancing speed to market with a rigorous approach to cyber security and privacy regulatory compliance is a tricky balance for many businesses. Companies operating in highly regulated industries feel the pressure of this more than most, with security, privacy and compliance strictly governed through regular audits.
A major data breach or software vulnerability for a financial services firm for example could see operations halted and significant fines issued by regulators for serious security breaches. The impact of this goes far beyond the financial however, with damage to brand reputation also a significant factor.
The risk is real
British Airways (BA) currently has the unenvious record of having been handed the biggest fine relating to a GDPR breach to date. The company was forced to pay over €200m by the UK’s Information Commissioner’s Office after hackers were able to harvest data from around 500,000 of BA’s customers via its website.
More recently, the National Commission for Data Protection in Luxembourg has proposed issuing Amazon with a fine of over $400m. The case relates to allegations of GDPR violations in the way Amazon is collecting and using personal data gathered from customers.
Governance, risk management and compliance
As we can see from these fines, organisations wanting to innovate and release new software updates as quickly as possible have to balance their thirst for development with a focus on governance, risk management and compliance (GRC).
The starting point for this is for companies to improve how they meet risk management requirements in a software development environment increasingly influenced by the adoption of Agile and DevOps methodologies.
The challenge many businesses face with this is that their teams are often operating in silos outside of software development workflows and with different priorities. A security team for example is going to be focused on risk assessment rather than concerned with increasing overall speed to market.
However, businesses can overcome this in part by applying collaborative DevOps principles when it comes to their approach to security. This is most evident in the transition to DevSecOps among many companies, which sees security become a continuous and automated process with security tools and testing incorporated from the outset of the software development lifecycle.
Collaboration and leadership is key
Collaboration and leadership are essential for businesses wanting to achieve faster time to market without compromising on GRC. Organisations must therefore prioritise involving all stakeholders who will have a role to play in software development as early as possible. This goes beyond just developers; if legal and marketing teams will have an impact on development for example, then they too need to be involved early on in the process.
All of this starts with leadership. Business, technology, security and risk management teams need to be aligned with a shared philosophy of balanced development automation. This means prioritising the delivery of business value through software development as quickly as possible without veering from the company’s overall approach to risk.
In the software development process specifically, security and compliance considerations must be embedded throughout the process and introduced at the outset. Developers should also consult with other teams throughout the testing, analysis, compliance monitoring and change management process.
Incorporating security and privacy from the start in a DevOps software development process is vital. Through adopting technology-supported balanced development automation, businesses will begin to start moving in the same direction at the same time and safely navigate the tightrope between speed to market and security.
