Is Engineering Leadership Responsible for Legal and Business Accountability in the SDLC? — Probely
Who is responsible for the software development lifecycle (SDLC) in your business? It may seem like the CEO and/or Board of Directors are ultimately responsible for the SDLC. However, with changing times and regulations, such as the SEC’s crackdown on security incident reporting affecting enterprise CISOs like in the case of SolarWinds, the responsibility may be shifting.
There seems to be a shift towards holding executives responsible for security events, particularly those who oversee the technical aspects of the business daily, rather than executive leadership that may be disconnected from IT and internally developed software resilience.
Questions Arise
With the SEC setting a precedent and CISOs being held accountable, and with the SDLC being crucial for overall security posture and incident response, questions arise:
- What is the business’s accountability for not overseeing the SDLC adequately?
- How does this affect engineering leadership roles like CTO or VP of Engineering? Do they now bear legal and business accountability for the SDLC?
These questions would have seemed absurd not long ago, but in today’s business climate, they need to be addressed to understand what changes are needed in the process and who could be held liable in case of incidents or breaches.
Expecting the Expected – When Worst-case Scenarios Arise
While it’s difficult to predict the “unexpected,” it’s crucial to prepare for known threats in software security and the SDLC, such as external hackers, untrained developers, untested applications, and common vulnerabilities. Businesses need to be prepared for these known issues to avoid incidents and breaches.
Security incidents and data breaches impact all employees involved in software creation and oversight, making it a business problem that needs to be addressed.
What Should You Do Now?
Every business has different levels of risk tolerance and regulatory interpretations, so there is no definitive action plan. However, internal discussions should focus on:
- Engineering’s views on SDLC accountability
- Collaboration between engineering and information security to understand risks and opportunities
- Potential liability insurance for engineering executives
- Improvements needed in the SDLC for enhanced resilience and security
- Regular reviews and audits of the SDLC to identify security risks
These discussions should involve security, engineering, compliance, and legal teams, emphasizing the importance of the SDLC in addressing security flaws. The trend of holding CISOs accountable for security may extend to CTOs and VPs of Engineering in the future, making preparation essential.
