Have you ever had a talented mentor who would go out of their way to help you that made a significant impact on you? I hope so. These people help pave the way to success within an organization and becoming that individual on a security team can go a long way in ensuring the success of an organizations security posture. If you are unable to do so, security will inevitably become an out of band process that may be seen as a blocker rather than individuals who help them achieve their goals.
Scaling to your engineering organization is a never ending race you will inevitably lose, building out trust and autonomy through security culture can help you scale to the size of your organization through distributing responsibilities. An example of how to approach culture between security and engineering is how Netflix tackles security culture.
Building rapport amongst engineering involves good communication, finding common ground, shared experiences, empathy, and being a part of the team. Getting involved in impactful projects can help pave the way to success and making sure that you are involved in the future. Get involved in planning meetings, proposals, design decisions, and projects in which you can eventually provide your expertise to meaningfully contribute. Once you do so, being involved in more aspects of the organization becomes a self full-filling prophecy.
A way you can start getting involved is to listen to your colleagues and learn what the needs of the organization are. Here are some initiatives in which you should listen for to perhaps contribute or even lead once you have built out your rapport within the organization:
- New feature release to the product
- New processes and procedures within the organization
- Documentation for new engineers
- Training within the organization
- Adopting a new technology
- Improvements to the software development lifecycle
- Reducing wasteful resources
Have you ever witnessed individuals pull pranks on unlocked machines? This behavior is not conducive with trust and empathy that a security team must provide to mature security practices within the organization. Be someone who individuals like to talk to, promote trust through open communication, and being friendly goes a long way in helping one another. Creating a culture of trust and respect through your role can be achieved, though not limited to, the following.
- Provide security and awareness training for engineers
- Involve employees in security decision making and
- Encourage ownership throughout the organization
- Encourage reporting security issues and concerns
- Foster a culture of collaboration through communication channels
- Provide opportunities for team members to work together on projects or challenges
- Recognize and award employees who demonstrate good security practices
- Implement automated security controls to assist in self assessments
- Establish clear documentation, procedures, and policies to assist individuals in making the right choices
Freedom and Ownership
Giving engineers the ability to operate within their space and accelerate their projects is a crucial element to the success of the organization. In which projects should have clear ownership and expectations for a given task. The same should be true across your environment including your infrastructure components, applications, projects, and associated assets. When engineers do not have the necessary tools, expertise, and resources to be successful; The security team will fall short. Giving engineers freedom and ownership of their given function with the right resources will go a long way in ensuring security is a part of the product.
The next section will go over how you can empower operations, security, and development teams to build out a minimum viable DevSecOps program.