In the fast-paced world of cybersecurity, staying ahead of threats while driving innovation is a delicate balance that requires teamwork and clarity. But as the recent CSA State of Security Remediation report noted, one of the biggest problems security and developer teams face is collaborating and communicating. In fact, a startling 18% of organizations report no collaboration or counterproductive relationships. That’s nearly 1 in 5 organizations.
With statistics like that coming to light, we wanted to check in with one of our favorite cybersecurity experts, Tunde Oni-Daniel, Head of Technology Operations and Engineering at OneMain Financial, to give us his perspective on better CISO and security team communication with developers and utilizing technology to assist teams in driving risk prioritization as a united front.
Watch the full video interview here, and catch a few of Oni-Daniel’s top pearls of wisdom below.
On how to communicate the “why” and “what” to developers
Conveying why something is important in a risk-based manner means tying risk prioritization to business outcomes. If you’ve defined those outcomes – be it better ROI, sustained performance for the organization, continued increase of revenue, what have you—it’s very important that teams can take security concepts using a variety of standards to convey what issues may arise if security flaws aren’t triaged and addressed properly.
Everyone in 2024 has limited resources to drive the same objectives and outcomes for the year; working on the wrong things when budget and resources are tight will negatively impact your operations as a whole. It’s critical to prioritize the right things at the right time so you can balance resources properly, and avoid burnout.
On DevSecOps as a team effort
DevSecOps is a principle. Successful companies think of security as everyone’s job—not just one team’s job. If everyone can see the journey of executive prioritization in an aligned manner, you’ll have a better organization overall. This type of team effort is what’s known as a “value stream team”—where all the people that practice developing and pushing capabilities into production have the same principles on how to shift code in the right way, at the right time, in a consistent manner.
On CISO and product team relationships
Across all industries ensuring what the CISO perceives as risk and what that means from a technology risk perspective have to be brought together to drive prioritization. Features are things people need for a platform across all organizations –technology, financial services, food and beverage—the list goes on. Whatever capability needs to be built is tied to a monetary value.
When conversations shift to features versus security issues versus bugs, it becomes tricky to prioritize and move forward. CISOs play a pivotal role in aligning with developers, communicating upcoming challenges, and steering the journey forward. Effective collaboration hinges on aligning language and priorities, ensuring seamless integration of security considerations into the development process.
On using technology for prioritization
Having technology to accelerate prioritization means you won’t have an army of people working on vulnerability management tasks that could be automated. By utilizing technology available to you, your team is able to focus on writing infrastructure code, driving remediation and determining remediation steps, making the entire process more efficient and consistent. That being said, it’s not just throwing technology at the problem—it’s refining your process and building those processes INTO the technology. Remember, if you automate “bad,” it’s still bad!
On collaborating with startups
Startups offer a unique opportunity to address emerging security challenges with agility and innovation. They often tackle problems that larger companies struggle to solve quickly due to bureaucratic hurdles and competing priorities. The key to successful collaboration lies in focusing on the problem being solved. Startups must effectively convey their value proposition and results in a concise manner. For CISOs, prioritizing solutions that offer synergies and operational efficiency is crucial. While individual features matter, the ultimate goal is to operationalize security measures in the most effective way possible.
We like how Tunde views conversations around “best ofs”:
Being in the industry for as long as I’ve been, I’ve moved from the “best of breed guy” to the “best of suite guy.” I came up as an engineer, so I have an architectural mindset. For vendors pitching their platforms, the most important thing is addressing the problem you solve. Period. if you've not conveyed the problem you're solving in the first seven minutes—the architecture and the results or the metrics organizations are going to achieve—you’ve lost.
