Are you making strides towards reducing hygiene concerns, specifically when working with developers?

1.4k views5 Comments

Head of Security and Compliance in Software, 51 - 200 employees
Regarding risk and hygiene, one of the fundamental things that we think about is training. We make sure that they get enough knowledge about how to take care of the assets and access all sorts of details. And it's not a one time thing, it's ongoing. If you say, "My product security is secondary," you can't survive in the current generation.
VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees
We're trying to take the organization ahead left of release—really deep left. Two years ago we sent out this intentional strategy around hygiene. From 2018-2019, there were pulses coming in from the industry through regulators and audits, and the CISOs that were really paying attention—especially to third party risk assessment concepts—weren't accepting just a SOC 2 Type 2. They were like, "I want that but I want to see how many exceptions you have, how do you deal with defects?" They were asking very specific questions. From 2019 into 2020, you started to see this heavy shift to try to take your identification remediation left of release.
IT Manager in Services (non-Government), 10,001+ employees
The way we see it at Acxiom, it's a culture shift: Shift that to left of release. We've seen smart threat actors who want to get into your CI/CD, because once they're in at the beginning, they're almost undetectable throughout the lifecycle of that application. We work to make sure security becomes business as usual (BAU): not an afterthought, but part of the culture. It’s part of the agile sprints and the strategy; we're getting people to self-report, and security comes in at the tail end to just make sure we're validating. The strategy has to be a cultural shift so that the developers and product owners who are working at the code level, are on the same page. We've seen our product owners really grow in that space to the point where once we've equipped them and interpreted policy, they're able to run with it as requirements.
2 2 Replies
Expert Information Assurance Manager, 1,001 - 5,000 employees

I think the culture shift is that there's a better understanding now, and security is not a burden to them. It's not about ripping up their work and throwing it out, it's about real value.

IT Manager in Services (non-Government), 10,001+ employees

Exactly, it's part of their revenue-generating projects and they see it as a value add as opposed to huge projects at the end when they're getting to production.


Content you might like


Greater than 50%54%


Less than 50%14%




CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
48.9k views133 Upvotes326 Comments

Almost immediately0%

One month or less42%

Two to three months33%

Up to six months13%

Around a year8%

More than a year0%

Varies too much to say4%