The Hidden Toll

Clea Ostendorf
September 23, 2024
4 min read

There is a concept from a well known sales methodology that emphasizes understanding the levels of “pain” a customer has to help them identify the best solution. The Sandler Method, breaks down a customer's pain into three categories: first level, the technical need, second level, the business need and finally the most important, the personal interest.

Level three, personal interest, is often overlooked when thinking about application security. We buy tools to solve the problem, but we fail to think about the user who is affected.  This article looks to evaluate the pain around development and security in an effort to think about bridging the gap between the two foundations of many businesses. Let's pull back the curtain and explore the hidden stressors that developers face in their daily fight against security threats and why your program is not as effective as you’d like. Quotes are anonymous to respect the thoughts and posture of the employees.

The Weight of the Digital World

“It's crazy to think about how much sensitive information is at risk if we don't do our jobs right. The thought of a data breach keeps me up at night, no lie.”

Imagine carrying the weight of your company's entire digital infrastructure on your shoulders. That's the reality for many developers today. A single line of code could be the difference between a secure system and a devastating breach. This immense responsibility is enough to keep anyone up at night, and for many developers, it does.

“How do you handle the pressure of securing sensitive data and protecting your company's reputation? It's a lot of responsibility on our shoulders, knowing that one mistake could lead to a data breach.”

The Never-Ending Race Against Time

“Have you ever dealt with a zero-day exploit? It's a nightmare trying to patch a vulnerability that's already being actively exploited in the wild. You have to work fast to prevent a major breach.”

In the world of software development, time is always of the essence: new features, updated performance, customer requests…. But when it comes to security, the stakes are even higher and often come with a lot of noise. Developers find themselves in a constant battle of prioritization with security often coming in second to a product update. This relentless pace can lead to burnout and fatigue, as developers push themselves to the limit to stay one step ahead.

Balancing Act: Security vs. Speed

“Does anyone else struggle with getting buy-in from senior management for security initiatives? Sometimes it feels like they don't understand the importance of investing in security until it's too late.”

Another challenge developers face is the constant pressure to innovate quickly while maintaining robust security measures.  This is enhanced through communication barriers where product managers struggle to effectively communicate security needs and risks to both technical teams and non-technical stakeholders. Many product managers lack deep technical security knowledge, making it challenging to make informed decisions about security trade-offs.

The Invisible Battle

"It's a thankless job. Nobody notices when everything is secure, but everyone points fingers when there's a breach."

Perhaps the most personally frustrating aspect of cybersecurity for developers is the lack of recognition. Unlike flashy new features or performance improvements, security measures often go unnoticed – until something goes wrong. This can lead to feelings of underappreciation and demotivation.

Light at the End of the Tunnel

While the challenges are significant, there are ways to alleviate these stressors. Organizations can play a crucial role by:

1. Fostering a security-aware culture

2. Providing adequate resources and training

3. Promoting clear communication around company goals

4. Recognizing and rewarding security efforts

Conclusion: Empowering Our Teams

As we continue to rely more heavily on technology tooling telling us when we have risks, the role of developers in maintaining our digital security becomes increasingly critical. The expectations of a single team to manage both the building and maintaining of a product while also keeping it secure is an untenable task. We should apply the concepts of Secure Future Initiative (SFI) by Microsoft that focuses on Secure by Design, Secure by Default, and Secure Operations. The role of security is the priority of every person at the organization. This is a top down choice that needs to be made and clearly dictated, when it comes to security vs functionality, we chose security. By understanding and addressing these challenges, we can empower our developers to build secure products without burning out.

Sources:

https://www.microsoft.com/en-us/trust-center/security/secure-future-initiative

https://www.reworked.co/information-management/microsoft-made-security-everyones-responsibility-handled-well-its-the-right-move/

https://www.legitsecurity.com/blog/security-challenges-introduced-by-modern-software-development

https://www.informationweek.com/cyber-resilience/the-psychology-of-cybersecurity-burnout

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10918303/