What CISOs Are Saying: Shifting Left

In this week's edition of "What CISOs Are Saying," we tackle the topic of Shift Left Security and what it means to leading security professionals. The Shift Left approach was originally a popular term in the DevOps community, and as security leaders began to apply it to their work, it refers to information security being built into the development lifecycle from the beginning. By doing so, it becomes easier to identify security concerns or flaws, and vital resources are used more efficiently.

Shifting Left enables CISOs and their teams to mitigate security risks for both the business and end users. It's imperative that security is involved early on in strategic business discussions; here's what security leaders are saying in terms of overcoming these challenges and pushing for greater collaboration with the DevOps teams:

According to our extensive CISO interviews and market research, 54% of CISOs said they are focusing on Shift Left Security in 2020.

Kevin Paige, CISO, Flexport, agrees that focusing on shifting left significantly increases operational efficiencies. On page 6 of our March 2020 Issue of Feats of Strength, Paige states, "I like to use the words 'shift left' from an operational perspective. How can I provide self-service and/or automated mechanisms where our employees can help find and/or fix issues themselves with great levels of transparency and understanding of the issues?... How can we make security “just work” invisibly and become a thing that blends into the normal day-to-day and not be this thing only a select group of people understand?" In order for security to be baked in from the beginning, it must be embedded into the business and understood across all departments and employees.

The concept of Shifting Left often refers to involving security early in the cycle of technology development: in the same March 2020 issue of Feats of Strength, on page 15, Chris Porter, CISO at Fannie Mae, says that Shift Left security "has been around for a long time. I think it’s really gained a lot of traction in recent years, but a lot of people think about shifting left in terms of code development. Ultimately you want to 'shift left' all the way into business initiatives. Like when you’re doing cost benefit analysis, looking at business value created, technology risk, operational risk, cyber risk, resiliency risk, all need to be looked at upfront. And if you look at all that stuff up front, it’ll take care of itself a lot better as it follows through to when it actually gets to the value creation aspect."

Shifting Left begins with initiating collaboration between the security and DevOps teams, many refer to this merge as DevSecOps Incorporating the importance of security into the organization's culture helps spread responsibility among all employees. Ensuring this buy-in is vital for an effective security program. 

Shifting Left allows you to accelerate speed-to-market.

With an end goal of increased quality and a reduction in time required for testing, Shifting Left serves as a way to solidify both of these goals. The cost of fixing security concerns significantly increases if addressed later in the development lifecycle. This is not just a security challenge, CISOs must educate their executives on the business impacts from a time and money perspective of not baking security in during the beginning of development.

Bradley Schaufenbuel, CISO, Paychex, echoes this idea on page 10 of our June 2020 issue of Feats. He comments, “Our goal is to get security involved earlier in the development of new processes, products and strategy. I want to make sure we embed security into that thinking from the very beginning rather than bolting it on at the end... When security does find issues, they may be expensive to fix and take time away from pushing out new code. With shifting left, security is baked in at the beginning, which helps avoid costly adjustments.”

Implementing Shift Left Security within your organization helps to reduce unnecessary costs and provide a more seamless experience for the end user.

On page 15 of the March 2020 issue, Cory Scott, Head of Security at Google Nest, explains Shift Left through the relatable lens of an IT help desk: "If you imagine a very traditional IT help desk 10 years ago, and you called the IT help desk and said your email was not working. They then route it to the email team. And I’m going to file a ticket and shift it over to the email team, and then they’ll look at it, fix it, and route it back. In this example, the idea of shifting left is instead of making the mail admin do it, they shifted it left to the help desk and gave the tooling to the help desk so they can fix it themselves. Most corporate enterprises have become much better because of that 'shift left' strategy. The idea is that if you can get the first interaction to resolve the problem, you’ve reduced costs and the users are happier. You can then take those principles and you build it around security."

In the past, development teams may have been disinclined to apply a Shift Left approach because they believed involving security too early in the process could act as a hindrance or obstacle to project progress. However as Shifting Left has become increasingly constructive and feasible, it proves to serve as a best practice in both DevOps and security.

K logix leverages our deep network of CISO leaders, and broad experience working with customers in all verticals, to deliver relevant, analysis-backed consulting services to our customers. We help CISOs and security leaders gain justification, business knowledge and technical aptitude to address Shifting Left. Drop us a line for more information on how we can work together to strengthen your program. 

Want more? Read our Feats of Strength issue on 2020 Cybersecurity Trends and listen to our podcast episode on how to keep up with the rapid pace of technology featuring Kevin DeLange, VP & CISO at IGT.