3 Tough Questions CISOs Must Ask About their Application Security Training Program
CISOs have primary responsibility for managing risk in the organization. Ensuring the security of business applications and products delivered to customers is a strategic priority for them. CISOs would like to ensure that their Application Security Program is built on strong guard rails. Be prepared to answer these tough questions from your CISO.
Are Our Applications Secure?
Traditional AppSec training revolves around cookie cutter training materials with outdated training content delivered annually in a classroom environment. This is great for check-box compliance. However, it lacks the rigor for serious cyber skills development. Threat vectors in your environment are evolving and the attack surfaces are increasing. Security training needs to evolve to ensure relevance to the new realities in the threat landscape.
Interactive security training where developers learn by fixing vulnerabilities in real code samples fosters learning & knowledge retention. Aligning training to the developer technology stack will ensure immediate relevancy to their jobs. Your developers are coding in Java, Python, AngularJS, Kotlin & Go programming languages. Are you teaching them secure coding skills by making them watch stale videos and answer multiple-choice questions?
Developers want to write secure code. Give them the tools of the trade & enable them for secure coding. Use the training to build a hacker’s mindset in your development teams. Left shifting of security will also relieve the pressures on your overworked security teams.
How Is it Reducing Our Business Risks?
CISO has a primary responsibility for managing risk & ensuring adherence to compliance mandates like PCI, HIPAA, SOC2, Data Privacy regulations etc. Risk of data breaches is what keeps the CISO awake at night. One in five data breaches is caused by software errors according to Ponemon Institute.
As the head of engineering you have responsibility for developing security related competencies in your teams. However, building a common baseline knowledge of security across your distributed development teams can be a challenge especially in today’s WFH environment.
A cloud-based application security training platform can help you deploy application security training at scale across your distributed teams. You can assign coding challenges and track progress on assigned training. Some training can also be made mandatory as part of new developer on-boarding process as well. Define mastery levels for different roles and leverage the training platform to build the relevant security skills. You can even integrate your custom content or create new modules relevant to your technology stack.
Host hackathon events and Capture-the-Flag events on the platform to build a security culture in the organization. Such events will also help you to identify your security champions who can then be groomed for mentoring roles.
What Metrics Are We Tracking to Measure Effectiveness?
The journey to an effective AppSec program is a long journey and putting all the moving parts together takes time and resources. Vulnerability Management Program, Security Automation and Developer Enablement Training are essential for building a frictionless DevOps environment.
A clear metrics orientation will ensure that the AppSec program delivers on the desired outcomes. Trends in metrics such as defects delivered in each sprint cycle or quality of the builds are good indicators. Penetration test reports can give you additional insights into areas for improvement.
Ready to flip the switch on your Application Security Training initiative? Get on the fast track here