It’s the start of the year again.
The decorations have been packed away, the team has returned from a well-deserved break, and we all share in the traditional New Year’s dream that this year will be quieter. The world never looks more hopeful than it does in January.
In the spirit of capitalizing on this short-lived optimism and starting 2023 with a renewed focus, I’m asking you to join me in making a change this year.
Let’s make 2023 the year we take action in software security
There’s a myth that you need the right motivation to start a new action. In cyber security, this motivation often comes from something bad happening to us or someone we know. This bad thing hits hard and spurs us into action.
However, motivation resulting from an event rarely leads to long-term change. The motivation we experience is fleeting, so when the motivation fades, we slip back into our comfy old habits, and inaction reigns once more.
You might have heard this well-understood phenomenon described as “recency bias” — when we favor recent events over ones that happened longer ago.
In performance sports, people understand that this type of motivation doesn’t work, and they view the relationship between motivation and action differently. They know that action leads to motivation, not the other way around.
Most of us don’t feel naturally motivated to do hard things. Whether it’s starting a fitness regime or kicking off an application security program, the light of inspiration is probably not going to descend out of the blue and fill you with the urge to get it done.
So when those performance sports folks talk about flipping the order from “motivation ➞ action” to “action ➞ motivation”, they mean the trick with making consistent change is to take action whether you’re feeling motivated or not. Just start.
It might sound counterintuitive, but the action you take will show you the benefits or possibilities of your new behaviors — which can then provide the motivation you need to carry on for the long term.
What does this mean for us as application security leaders?
We need to accept that building and improving our application security programs will always feel hard, and we’ll rarely feel motivated to do it.
Once we’ve admitted that, we can take the next step: deciding that, as a team, we’ll do it anyway — together.
This year, SafeStack will be sharing content, hints, and tips designed to help you make small, consistent improvements to your software security — whatever your size, cyber security maturity, or budget.
From how-to guides to walk-through videos, from interviews to handy resources — we’re looking forward to sharing ideas that will help you take action in achievable ways.
Over time, our hope is that you’ll see the benefit of these changes and begin to build the motivation and cyber security culture needed to shape your appsec program so it works in your unique context.
We’ll be encouraging you to share your approaches and journeys, as well as looking at experiences from organizations worldwide — including what’s worked for them and sometimes more importantly, what hasn’t.
Rethinking application security programs
For many years, building an application security program has been seen as a right of passage for larger organizations. It’s been something you do when you have a lot of people, a larger budget, or more revenue.
I think we have it backwards. The later we start working on basic cyber security practices in our software development teams, the harder it gets. Once a large ship has started moving, it has inertia. Changing direction is hard and slipping in new processes or rituals can be fraught with tension.
When the ship is little, you may not have a lot of time, people or resources, but you do have flexibility and creativity. You can adapt, solve problems as you go, and evolve your approaches much more quickly.
Wherever you are — in your organization’s life or in your appsec journey — the key is finding the small changes and initiatives you can apply consistently across your team. These small changes add up and little by little, they lead to big outcomes.
Focusing on empowerment and enablement
Application security programs shouldn’t be instruction manuals for completely redesigning our development processes and culture. At SafeStack, we find it helpful to think of them as guides for how to consistently think about risk at all stages of a product’s life cycle.
Much like when we try to improve our health, success in an application security program isn’t huge amounts of change delivered in short time periods. It’s small changes, consistently building up over time. Change that can be scaled, sustained, and shared across people.
Ideally, an application security program should encourage your development teams to consider security as part of their world — as ingrained as the need for performance and usability, and part of our definition of high-quality software.
Rather than a playbook of what tool to use and when, an application security program is a framework that helps your engineers understand and take ownership of risk in a way they’ve never done before.
Starting where you are
Whether you’re completely new to this or you’ve got some experience behind you, whether you have a team or just yourself and a few spare hours around your full-time role — let’s commit to application security and work on it together.
We’ll learn about and choose the ways to measure our progress, understand frameworks we can use to look at maturity, and design initiatives that will use the many skills in our teams to build amazing products that are secure by design from day one.
We’ll work together to make sure our roles as application security leaders are ones of enablement and coaching — so that we can become the supporting cast to a team of 30 million security-minded software engineers worldwide.