To create, protect, and maintain effective systems, engineering and security must work together.
Delivering secure, quality products at pace is the goal for any engineering team. But developers often feel like traditional security approaches are slowing them down, while security folks feel their work is being pushed to the bottom of the list.
In this series, we explore how the two teams can build better relationships, support and influence each other from the sidelines, and create a modern, healthy security culture that benefits the software and everyone involved.
Episode 01: Overcoming security hurdles to push engineering velocity
How are engineering leaders in other organizations working effectively with security to deliver quality code, faster? In this panel discussion, a group of tech leaders came together to discuss how they navigate this tricky but critical relationship and find creative ways to reach their shared goals.
Featuring Nimisha Asthagiri (Principal Platform Strategist at Thoughtworks), Stevi Deter (Principal Software Engineer at DexCare), Jeremy Goldsmith (Head of Engineering at StackHawk), and Micheal Stahnke (VP of Platform at CircleCI), the panel explored:
- How security processes can drive engineering velocity
- Practical steps for collaboration between developers and security teams
- How to empower your engineers to find and fix vulnerabilities in their own code
- How to develop a culture of shared responsibility around your org’s security principles
Episode 02: Shifting left on security: Five steps to transformation
It’s time for a different approach to security, one that’s better aligned with the pace of modern engineering teams. In this article, Jeremy Goldsmith shares why we need to shift security out of the slow lane and into the fast lane (in other words, shifting left), with practical solutions for getting there.
From rethinking the role of security and embracing new tools to training and trusting developers and aligning security and engineering leaders around shared goals, Jeremy walks us through his five steps for building the security culture we need.
Episode 03: Supporting, influencing, and leading as a security practitioner
Advocating for security plans can feel like selling insurance; incidents happen all the time that prove the need for it but persuading people to invest can be a challenge. How can security folks demonstrate the value to developers and product teams focused on quick delivery and low costs?
In this article, Izar Tarandach shares how he successfully advocated for security by supporting, influencing, and leading engineering teams from the sidelines. The secret? Understanding and practicing the right kind of empathy.
Episode 04: Six ways security teams can build better relationships with engineering
Did you know that 52% of developers view security policies as a barrier to innovation? In this article, Shirish Padalkar argues that the best way to bridge this gap is by building better relationships between the two teams. And there are six things security folks can do to get started.
From empathizing with engineers and making realistic trade-offs to establishing their credibility and rewarding good security practices, Shirish shares everything security teams need to know to start building productive and positive relationships with engineers.
A final takeaway
Throughout the series, our authors and panelists agreed that at the heart of the security problem, there’s a people problem. Both engineering and security teams need to practice empathy, build trust, and learn to communicate. Building a collaborative security culture doesn’t happen overnight, but there are several things leaders can do to kickstart the process, starting with a change of attitude.
In the words of Jeremy Goldsmith, ‘Bringing security into the modern age of software engineering is not only possible, it is a reality, and more and more organizations are doing it. Whether your organization is primed for this type of transformation or has a lot of work to do, the best way to get started is to start.’