Working in IT over the past couple of decades I’ve witnessed the good, the bad, and the downright ridiculous when it comes to the way software developers are treated by management. Seeing what I’ve seen, and having been in those shoes, I’m convinced that the best way to de-motivate these key players in any organization is to not appreciate the work they’re doing and what they’ve accomplished for the business.

People (in this case, business executives) are afraid of the things they don’t understand (in this case, software development). I’ve worked for these managers over the years and I still witness them today. Many of them believe that software development is this magical art form that has no place in the boardroom and, for that matter, little place in any meeting that’s focused on the “real” business issues at hand.

What kind of message is that sending to software developers, and IT as a whole? Furthermore, when management is disconnected from information security, it underscores the business priority of features over security. Time to market is seemingly everything and developers continue on keeping management happy. This is not a positive approach for fostering a culture of web security nor is it a way to get your development team interested in managing the risks around the business’s most critical information systems.

Sure, developers have to have buy-in themselves, but whether you’re a CIO, CTO, or even the CEO, you’re the leader and it’s incumbent on you to motivate and facilitate such an environment. Here are five things you can do starting today to ensure your software developers get – and stay – interested in web security:

  1. Invite your developers to higher-level business meetings involving operations, marketing, and other strategic areas in which they play a role.
  2. Find a leader within the development team who can encourage his peers to focus more on web security and how it’s impacting the business.
  3. Have your developers report in on the progression of web security in the software development lifecycle: how things are improving, what needs work, and so on so you can do what you can to help them help you and the business.
  4. Give them the resources they need, namely budget to acquire web vulnerability scanning and related testing tools and the proper training for preventing security flaws at the source, uncovering them during the final development and quality assurance stages, and understanding them when someone else documents them as part of your ongoing penetration tests.
  5. Hold your developers accountable (they’re part of the web security food chain, after all), incentivize them to do better, and recognize their positive contributions in front of others.

There’s hardly anything more motivating and uplifting than having someone interested in what you’re doing. You have to ask yourself: What role do I and my colleagues on the executive team play in minimizing web security risks? You’ll likely find that most developers love the security aspects of their jobs. In the end, everything you do as a business executive – every choice you make for security or against it – sets an example for your developers. Do what’s right. Do what’s motivating. Do it now.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.