Culture is everything when it comes to building a security mindset within an engineering organization. Without the right values in place, development and security teams often lack alignment, which can become a blocker for shipping projects and moving the business forward.
In a recent roundtable discussion, our own Global Head of Security Product Strategy Zane Lackey and Chief Product Architect Sean Leach spoke with Forrester’s Sandy Carielli about the challenges and benefits of building a secure DevOps culture in an era of fast digital transformation. In short, the whole organization needs to see the value — and the real work to get there starts with trusting and empowering your people. Here are some highlights from their discussion:
1. Build trust between development and security teams
Development and security teams may not always see eye to eye, but from a relationship perspective, developers and DevOps teams need to trust not only their technology but the people they work with. At Fastly, we’ve taken steps to build trust by embedding security people into development teams — and developers into security teams — so they can all begin to work toward the same goals. This helps establish camaraderie, and trust naturally follows. The teams can then sit back and enjoy the value security brings to the lifecycle of applications — observability, protection, and visibility.
Sean believes that the best dollar-for-dollar ROI-spend is getting together socially with other teams — lunch over video chat or virtual happy hours. It gets teams talking, and they become invested both in security and how it affects their part of the business.
Building trust internally also benefits customers. Our collaborative structure means engineers and security work as a team, providing a seamless service to customers facing an urgent need to scale-up.
2. Find a way to say yes, together
Security has a reputation for saying no. Zane compares saying no to the office fire alarm, acknowledging that it’s there for a reason. But not to be set off every day.
To avoid other teams routing projects around security, the foundational building block has to be about finding a way to say yes, together. Security should enable a business to move forward. Figure out what the underlying function or capability is that your colleagues need. What is it that they require to get their job done? Once you understand the need, get out of the way. Whenever possible don’t just say no — deliver alternative solutions. Create safer ways for teams to perform the function or capability. If you give them a better way to get the job done, employees will actually use them.
And by working with teams and considering factors such as policies, technology, architecture, and the whole flow, development and security will align for a secure application deployment.
3. Hire through the lens of security across your engineering organization
To eliminate the typical push and pull between security and development teams, Sean and Zane agree that probing for a security mindset during the interview process is key — no matter which side of the secure DevOps table a candidate sits on. The right security-minded candidates demonstrate a willingness to collaborate, keep an open mind, and work toward collective goals.
Ask them how they’ve dealt with internal security/development conflict in the past. Empathy needs to be a core part of your team’s culture. So understanding the daily battles faced by your peers and being able to commiserate can help your teams form stronger bonds and be more successful in the long run.
Again, it all comes back to trust. Having trustworthy teammates who understand the overall goals of the organization can bolster a culture of security.
4. Get everyone on board with security through internal marketing
Highly skilled security professionals spend most of their time with their heads down working on security engineering projects. One skill they often lack is knowing how to market their services internally. If they can make the rest of the organization aware of what they do, it will help create a culture of collaboration and trust. It will also extend the credibility of security throughout the whole DevOps environment.
This is where a security champions program adds real value. Security champions, and also developers championing security, drive education throughout the business. They teach people about the latest security tools and platforms — how they’re used and why they’re important. At Fastly, we have an entire Slack channel dedicated to the latest security research, techniques, and tools — and our people love that channel because it allows them to understand how we’re practicing the security we preach.
For more on how to build tight-knit secure DevOps teams, watch the full conversation.