Data privacy gets a lot of attention these days, and rightfully so. From GDPR to CCPA, regulatory frameworks have made it impossible for businesses to ignore the importance of protecting customer data. Whilst these regulations set out the basic requirements for organisations when it comes to data protection, they don’t necessarily address the root cause of the problem - that many breaches occur due to vulnerable code. 

This Data Privacy Day is one like no other. Organisations have faced unprecedented levels of cybercrime in the past year, from attacks targeting highly valuable vaccine data to taking advantage of the increased vulnerabilities brought on by remote-working. For many organisations, budgets are tight but risk levels are growing exponentially, so it’s important they focus on preventing security risk from the outset. 

A 2019 study found out of 32 web applications, 82% of vulnerabilities were located in the application code itself. That’s a lot of risk that can be mitigated by creating secure code in the first place. This is why teaching developers how to code securely from the outset is crucial in the fight to protect customer data. 

The most successful way to do this is through hyper-relevant and developer centric learning platforms, which are integrated into developers’ day-to-day tasks. This helps not just fix existing problems but gives them the skills to code securely in the future, creating a more robust data security posture customers and society at large.

It is our understanding that the cause behind the loss of 400,000 police records in the UK, was down to a human error whereby defective code was introduced during routine maintenance. It is frustrating to see that the loss of this extremely important government data could have potentially been avoided, if only engineers were given the time and tools to put security first, always.  

It’s imperative that all developers are trained in how to code securely from the outset. That way, vulnerable code would never have been introduced, and the loss of data might have been prevented.  

While it’s ineffective to teach secure coding in a classroom, there are ways that governments and private organisations alike can encourage their developers to care about secure coding. One of the most successful ways is through hyper-relevant gamified learning platforms that allow developers to learn how to code securely, without taking time out from their day job.”  

Unfortunately, as happens all too often, a foundational lack of security awareness in development teams proved costly in this instance, and the consequences were dire.

I believe that in 2021 and beyond, CIOs must focus on training people, rather than an over-reliance on security tools. Scanning tools and the like have their place in a DevSecOps process, for example, but security at speed is made possible by producing secure code in the first place. It’s kind of a “humans vs. robots” approach - the human element is often left out, when in fact automation is not getting the job done. Headlines uncovering new data breaches every other day are evidence of that. 

We must get to a point where developers - those who touch code most - are given the knowledge and tools to play a greater role in software security. Ideally, those tools are best placed in their workflow, getting closer to their day-to-day activities until security is second-nature.