The National Institute of Standards and Technology (NIST) released updated guidance on securing the software supply chain in response to the Biden administration's executive order on improving national cybersecurity.
Among NIST's recommended minimum security measures for U.S. enterprises are standardizing the language regarding software supply chain reporting and requiring attestation to security practices within software use and development.
Cybersecurity leaders will likely need to enact a cultural shift in their organizational risk management strategies in order to adopt these guidelines, according to Dr. Chenxi Wang, Managing General Partner at Rain Capital and Technical Advisory Board Member at Secure Code Warrior.
"The newest draft of 'Engineering Trustworthy Secure Systems' specifically outlines the importance of proactive risk management, including mitigation of vulnerabilities within systems and software. This requires software engineers to pay attention to and upskill in secure design principles, which should be a layer of foundational learning in their security training," said Dr. Wang.
"Security leaders can set an example for the organization by prioritizing code-level quality and safety, setting developers up for success through security program innovation. Being supported in building hyper-relevant skills helps them understand the importance of security best practices and their power to make a difference."
With the focus on development-level cybersecurity, Chief Information Security Officers (CISOs) may shift and grow their relationships with information technology (IT) and software development teams to prioritize security from the beginning of the software lifecycle.
"I think we are reaching a point where CISOs are generally becoming more interested in the security potential of development teams and what they are doing to protect the organization from devastating data breaches," said Dr. Wang.
"In that sense, I think there will be some new empathy for software developers' plight and their competing priorities, which will, in turn, assist in CISOs having a better understanding of right-fit tools, training and processes to help them achieve security at speed."