Bridging the IT, Security and Developer Divide to Deliver Innovation at Speed

Optimizing the customer experience is the most important commercial focus for businesses today, and how fast this can be achieved makes the difference between success and failure. The delivery of innovative products and services, securely and at speed, is the great differentiator for attracting and retaining customers.

Today, regardless of company size or market sector, the delivery of great customer experience is dependent on an organization’s technology teams – IT, security, development and other less traditional stakeholders – being aligned and working together. If these relationships don’t work, developers are shackled in their creativity, applications leak customer data and the infrastructure and platforms aren’t resilient, the business threat can be very real.

Security, in particular, needs to deliver for, and align to, the rest of the business. Modern and distributed organizations need security to be built in throughout the infrastructure – not just bolted on as an afterthought. Built for the accelerated, the pandemic-tolerant sprint towards digital transformation has paradoxically made the threat landscape much worse.

Yet, the extent to which relationships between security, development and IT need to improve is significant. According to new VMware research in conjunction with Forrester, 61% of IT teams and 52% of developers consider traditional IT security to be a roadblock to innovation. In contrast, just one in five developers even understand which security policies they are expected to comply with. In addition, senior leaders are more focused on development and security relationships, but one in three is still not effectively collaborating or taking steps to strengthen them.

Where does the disconnect lie, and where does security sit within this scenario? What needs to change to ensure security is prevalent across the business to free innovation, drive control and ultimately enable customer success?

Change the Conversation

A lack of common goals between security, IT and developers has long been an issue, exacerbated by the complexity of today’s multi-cloud, modern app world. VMware and Forrester’s study reveals that not all teams are customer-aligned, with operational efficiency being the number one priority for IT and security teams (considered most important by 52% of both respondent groups). In contrast, development teams prioritize improving the user experience (50%) – which is only fourth for IT and security teams, while preventing security breaches comes second for both IT and security, yet only fifth for developers.

This lack of alignment is understandable – developers can be siloed, in that their priorities are innovation and the customer. Their success is typically rooted in building an attractive application, as quickly as possible to position the business as first to market. Once there’s a working product, only then does its security become a focus – far too late in the day.

This realization, raises questions around the subject of a common language. The "end-user" for a developer is typically the end customer, whereas the end-user for IT and security is traditionally considered internal. Crucially, ‘security’ means significantly different things to these three teams. It’s not just that priorities are misaligned; the fundamental terminology with which they are being discussed doesn’t easily translate between teams. The conversation on alignment isn’t just overdue; it’s being discussed using different languages within the business.

Security’s Perception Problem

Then there’s the perception of security, which is considered a barrier to developers and IT in organizations. For many, it’s still not embedded enough into the business, either in terms of people or technology. The research shows that this results in more than a quarter of developers not being involved at all in security policy decisions, despite many of these greatly impacting their roles.

"Security must become ever-present and yet invisible within the organization, rooted in the innovation lifecycle from the very outset"

We need to move to a scenario in which security is considered differently. It’s there to support the brand, build trust, optimise app delivery and eliminate the false dichotomy between innovation and control.

So, rather than the “security as an afterthought” school of application development, where the function is seen to get in the way of innovation – greater teamwork is needed. Security must become ever-present and yet invisible within the organization, rooted in the innovation lifecycle from the very outset. Crucially, it must also be recognized as part of the customer experience.

A Path Forward

The realization of this change needs to start at the top. Who is the chief decision-maker for security, IT and development? In reality, this varies wildly: different reporting lines, different lines of business, different levels of representation at the board level. Security has always theoretically been aligned to IT. But should we now be seeing a shift in its priorities towards developers, away from firewalls to secure app building – as the latter becomes a strategic driver of business innovation? Ownership currently resembles the Wild West, fuelling a lack of strategic alignment between stakeholders.

Aligning priorities under the responsibility of a single seat at the table – a digital transformation officer or similar – will be vital in bringing the teams together in vision, strategy and execution. It will encourage the sharing of and alignment of KPIs. It will help empower teams to collectively sell within the business – to get funding, convince their internal customers to engage with products and solutions and change the dynamic from responding to change to proactively driving it.

This will help drive a cultural shift in which teams are united to pursue a shared priority: customer focus. Security, in particular, could do more to align here to ensure it’s better embedded in the development lifecycle that drives the business forward. Ultimately, as the development and deployment of applications have grown, security needs to do the same.

Towards a Future State

The good news is there’s recognition that shared team priorities are the way forward. More than half (53%) of respondents expect security and development teams to be unified two to three years from now, and those that believe obstacles prevent this unification are set to reduce from 49% to 28% over the next few years. Over forty percent expect security to become more embedded in the development process in two to three years’ time, and there’s a broader acknowledgment that cross-team alignment empowers businesses to reduce team silos (71%), create more secure applications (70%) and increase agility to adopt new workflows and technologies (66%).

There’s also recognition that security is so much more than just an insurance policy. It can empower development teams to accomplish their goals in the most secure and successful ways, rather than hindering innovation.

Ultimately, the research shows that better alignment and team working between stakeholders such as IT, security and development can result in reductions in the app development lifecycle – the time to market for a new app – of up to five days. This is a very significant finding, with enormous implications for competitive differentiation and efficiency.

Continuing and accelerating this progress needs to be a priority for business leaders. Relationships between these three teams have a major impact on organizations, and their alignment delivers more resilient apps, greater responsiveness to market conditions and continuous compliance. Yes, security needs to rethink its processes to embrace its support teams further. Yet, IT, security and developers must all come together to support a new future state; one where customer focus, powered by a systematic approach and senior ownership, unites the technology teams and empowers them to drive the business forward.

Brought to You by

What’s Hot on Infosecurity Magazine?