By Matias Madou, Co-Founder and CTO of Secure Code Warrior
With 2020 bringing a heavy focus on online business, it is fair to say that most organisations are expanding their digital footprint, and the resulting demand for software developers has never been so high. IBISWorld reports that the market size of the software development industry in the UK has grown 7.3% per year on average between 2015 and 2020 and it doesn’t end there. Software development is one of the top three skills for hiring managers going into 2021, according to research by Robert Half.
This trend is being felt across the financial services sector in particular, where digitalisation has been rapid. Unfortunately, cybersecurity skills and processes are not growing at the same pace. With the industry’s reliance on software at an all-time high and a correlative rise in cybersecurity threats, organisations are at breaking point. Just last year, 70% of financial companies experienced a cybersecurity incident. Not only this, but organisations are not future-proofing their IT infrastructure to deal with this magnitude of attacks. According to Deloitte’s report, “Pursuing Cybersecurity Maturity at Financial Institutions“, financial institutions dedicate a less than impressive average 0.3% of revenue and 10% of their IT budget to cybersecurity. This is particularly consequential in an industry that holds such sensitive and confidential data, and financial institutions must take security more seriously in order to see change.
The thing is, investing in strong cybersecurity doesn’t always mean splashing tonnes of cash on application security tools. A 2019 study found out of 32 web applications, 82% of vulnerabilities were located in the application code itself. That’s a lot of risk that can be mitigated by creating secure code in the first place. So, why are so many organisation’s still struggling to ‘start left’ and build a security-first mindset when it comes to coding?
Dangling the carrot to encourage secure coding
A survey of 400 security professionals across financial services by the Ponemon Institute found that only 43% of respondents said their organisations impose cybersecurity requirements on third parties involved in developing financial software and systems. This is an alarming amount of potentially insecure code flowing through the financial services industry, yet if training in secure coding was the norm, a lot of risk could be mitigated up-front.
There can be a reluctance towards training developers on how to code securely due to a misconception that it will take them away from the job they are tasked to do and, naturally, are most interested in: building features. This is exacerbated by rising consumer demands on financial institutions and ever shorter development release cycles. But this doesn’t have to be the case. Instead, organisations should take a proactive approach in encouraging developers to take security more seriously, and remind them that coding securely is a skill to add to their toolbox, and once they learn how, they will get faster over time, reducing rework, and eliminating recurring security bugs at the root of the problem.
Another point to consider when motivating developers is that when they take the necessary steps to become security-aware, they stand out as a more efficient member of the team. Their skill set reduces complete dependence on expensive, unreliable scanning tools, and helps bridge the gap for more specialist security personnel that are in short supply. Additionally, they become instrumental in protecting their employer from cyberattacks and data breaches, and in a wider sense, become a more sought-after developer, opening themselves up for more prestigious and lucrative job opportunities.
Providing developers with the right tools to code securely
It is all well and good convincing developers that security is important, but how does an organisation go about providing the developers with the tools to learn how to code securely? You are not likely to change a developer’s mindset with traditional teaching methods like classroom-based training, or hours of videos irrelevant to their day jobs. In order to captivate their attention, and demonstrate how security can seamlessly fit into their current coding practises, they must be given the opportunity to get hands-on training by receiving dynamic exercises that mimic the code they would be working on a daily basis.
The most successful way of doing this is through hyper-relevant gamified learning platforms, which are integrated with day-to-day tasks. If the developer is actively led through how coding and security can be combined into the same offering, without taking them away from their job, they are more likely to continue best practise in the future.
While there is still a long way to go before the financial services industry eliminates insecure code, the sector is showing promising signs of change. Despite cybersecurity being relatively new in many organisations, it is refreshing that financial institutions are truly open-minded and innovative in their quest to provide safe, secure software. Many have laid the groundwork to be more security-aware than others, identifying a need for and dedicating resources to holistic training programmes for not just application security professionals, but also their (typically very large and globally scattered) development teams. Many have seen the benefit of upskilling the development team with engaging learning platforms that help not just fix existing problems, but give them the tools to code securely in the future, creating a more robust security posture for the industry, its customers and society.