The importance of establishing a strong security culture
As individuals and businesses become more dependent on technology, concerns over cybersecurity increase. In a rapid development environment developers focus their attention on building applications leaving little time to focus on application security. However, creating a strong cybersecurity culture is important. Within a healthy cybersecurity culture, all team members care about maintaining the security and integrity of data. This means the values and practices of an organization align with protecting the intellectual property, personal data, and business assets of the company and its customers. These are shaped by the goals, structure, policies, processes, and leadership of the organization.
Without this approach - entire organizations including development and security teams may find themselves facing roadblocks in future projects.
In a recent developer roundtable discussion XQ held on August 17, 2021, our Head of Corporate Development, Kelby Price, and Zero-Trust expert Junaid Islam spoke with a group of senior developers about the challenges faced when pushing a culture of security in their development and security teams.
Let’s take a look at some of the highlights from our discussion:
Finding a Common Goal
Development and security teams have different responsibilities and sometimes disagree. However, both teams want the same thing—ensuring applications are meeting quality requirements for prospect customers. Development and security teams must collaborate to achieve overlapping goals to ensure the success of their organization. It's a win-win situation.
Security as a Reactive Industry
Security is a reactive industry. By waiting for an attack to happen, organizations rely on their security protocols to spot attacks. However, when security measures fail, the clean-up operation can be extremely costly and time consuming. Organizations, security teams, and developers can save time and money by investing in proactive security approaches before being the victims of security breaches.
Application Security
Organizations often find it difficult to invest in security plans due to initial costs and available resources. During our developer roundtable discussion, we wanted to gain knowledge from a developer perspective on the challenges of implementing cybersecurity policies. Responses ranged from not seeing the importance of security and limitation of resources to difficulty pushing a culture of security on their teams.
When building an application there are several things to consider: Architecture, Test-Driven Development (TDD), Security, Continuous Integration, and Performance. Having to deal with so many tasks, security is often an afterthought. XQ lessens the burden for developers by managing policies and keys.
Solutions: XQ Zero-Trust Security
XQ is transforming the security industry by producing self-protecting data using a Zero-Trust framework. XQ focuses on securing the data rather than the network or link. Once XQ is integrated, every secured data transmission notifies authorized users when, where, and how this data was accessed. This happens no matter where data travels: from authentication to encryption and logging across shared and private networks. Any attempted access by unauthorized users will be unsuccessful. With this new evolution of zero-trust security, XQ is changing the industry from reactive to proactive with less work, fewer resources, and easier implementation.
XQ Message’s Secure Message Authorization Routing Tracking (SMART) is less complex and costly than operating separate file encryption, access control, and VPN’s to protect application data.
Secure Message - We treat data as a message where users can stay compliant with security policies as the data moves
Authorization - Utilizing the Zero-Trust security model all data is encrypted and can only be accessed to those authorized.
Routing - XQ can route messages across cellular infrastructures from 4G,5G,Wifi, to satellite networks based on policy such as priority.
Tracking - Every encryption and routing event is logged from who, when, and where data is accessed because all data is geo-tagged while meeting compliance requirements
For more information on Zero-Trust Data protection: Click here.
For developers, access our developer portal on our website: Click here.
XQ’s API Platform: Click here
To speak with a representative for more information from XQ or want to set up a meeting, contact us at:
Watch the video and full conversation here:
Transcript From Developer Roundtable Event
Kelby (36:35):
So there's only around seven minutes left in the call. And I know that when we were introducing ourselves, some of you mentioned you had some questions that you'd directly like to ask a cybersecurity expert, like Junaid Islam. So I'm going to pass it on to the floor to see if there's any questions that you guys have that we might be able to help you with. So I wrote everyone's name down when they were doing the introduction. So I'll just start at the top. Ben, do you have any questions? You work in eSports, definitely an industry where there's secure credit card information, customer information, all of that. Do you have any questions for Junaid or XQ that we could help you with?
Ben (37:22):
Yeah, so I think the biggest one for me is, how do I push a culture of security on my team? Obviously, security is one of those things that, because it's treated like an outside aspect of the platform and you're wrapping your application in a bubble and you're trying to make sure that nothing gets through that bubble. That's not really the best way to promote security, but then you also deal with a lot of devs who, that's not the first thing they think about because that culture just hasn't been pushed before.
Kelby (37:54):
That's a great question. And it even goes back to what we were talking about, how software and security are almost siloed. And we want to integrate that all together because I think then it does push a culture of how much security is important. But I'll pass it over to Junaid, who really is the expert. Junaid, maybe you can talk about your time at Coca-Cola or some of the other projects you've worked on, where they were able to do a top down approach.
Junaid (38:15):
So, you touched on something important, which is, I'm going to paraphrase you a little bit and say, why bother? Why bother doing any of this? And I would say there's two reasons. And, so we're testing this idea. So, as Kelby mentioned, one of the ideas we want to refine with developers is, is your product worth more if it is secure, right? And hopefully the answer is yes. Now Ben, you said something a little important, which is, what if people just don't care, right? Which is tricky. So related to that is, what happens to our business if our product fails? So that's the opposite or other side of the coin, which is okay, the good is, we're better. The flip side is, well, maybe we fail less.
Junaid (39:08):
But I think what I get out of your statement is, it's probably important for us as a group, and I use the word, we're these Euro trust software developer community, this meeting is historic, that we have to get good at expressing the economics of integrating zero trust into applications for everybody in the community. Right? So that even the downstream users say, "Hey, let's work with people in this group, right?" We want this to be a win for everybody. So hopefully that answers your question, but it's more work we need to do.
Ben (39:44):
Oh, it's kind of an answer to my question. I mean it more, because I'm in charge of the project and I recognize that nobody cares about security until a breach has already happened. How do you change that culture? And the thing about everything being on the cloud now, and the thing about everything being driven by API's now, is that formerly really difficult topics that required a lot of math and research level understanding, like security, are available now for random developers who are at any skill level.
Ben (40:22):
So, the question you're asking is, how do we build the right product? The question I'm asking is, I want desperately for everyone on my team to always be thinking about ways that they can make sure that breaches can't happen in the application. But there's business people you need to fight against. And then there's developers who are just more interested in building things that feel good and then move quickly. And so, the task is convincing them that it doesn't have to be hard to integrate security into your application. You just have to understand what is meant by security, basically.
Brian Wane (40:58):
Yeah. I think that there's an interesting way to approach this. And it's almost like a framework approach from a dev perspective. You're setting up several. I'm not sure how you run your team, exactly, but when you're setting up the basic parameters of, Hey, we're using these tools, we're using these libraries, that sort of thing. And if you have a XQ built in as a base library, you can even like develop an interface for it. I think that Ike's got one available. So that anytime that anyone wants to send any information outside of that application, whether it's to a database or a network call or something like that, it's just automatically has to hit the securities.
Brian Wane (41:42):
You can build it into the framework. So that it's almost an automated thing that they don't even have to think about. Almost behind any of the network calls is one way to do it from a framework perspective. And then, there are ways, also, to do this from a dev sec apps thing, in terms of building it into, encrypting all of your code when it's at rest, versus when it gets sent to get GitHub or, or whatnot.
Brian Wane (42:07):
So I think that asking people to be active about security, we've found to be difficult. [crosstalk 00:42:17] Your point, it's not on their mind. So you have to make it to no brainer. It's got to be plug and play. So, one of the things we're saying here is that we're trying to make the security aspect of it so easy to integrate that it just becomes that thing where, Hey, this is just a base call in all of our projects, in a way. It's built into it. And then, there are other ways to build security into your workflow as well. Some of which XQ addresses, some of which there are other solutions for, as well. But I think that making it something that people don't have to think about is almost the only way to do it.
Kelby (42:54):
And, I would add two things to that. So one thing is that, security, in general is really a reactive industry. On average, it takes, what, 283 days to identify a data breach within America? So what we've done is we've really looked at security and said, "How can we change it from a reactive industry to a proactive industry?" Selection need was bringing up with XQ once you've integrated that, every time data is accessed or there's an attempt of access, no matter where it is in the world, we're able to flag access that doesn't match the historical places where that data's been accessed from, or whether there's been an attempted access that wasn't successful. So what that does is, on a real time basis, changes security from being a reactive industry to a proactive industry.
Kelby (43:47):
Now, when I look at security as a whole, and I think how do you change the mentality and how do you allow companies to really, and developers to really make sure that security is a value that they keep top of mind? I think it has to be a top down approach, as well.
Kelby (44:04):
So there's a Fortune 500 company a number of years ago. The board of directors identified that it was really important that their information was not breached. So much so that they made a clause in the CEO's contract that said if there was a data breach of this information, that CEO could be fired with cause. What did that do? And, this is a massive company within America. What that did was that CEO immediately invested in security and immediately made job performance tied to data security. So, as a whole, I think that our industry has to really look at it from, this impacts our financial, our repetitional, and our personnel, but that's obviously longer term then.
Junaid (44:54):
Great. So I want to thank everybody for joining.
Stay Connected with Us:
