Security initiatives are important for the long-term health and success of any organization. Unfortunately, security teams often end up saying “no” to a lot of things, which can make security feel more like a blocker than an enabler.
In a recent episode of The Secure Developer, Peter Oehlert, Sr. Director of Security Engineering, joined Guy to talk about how he’s grown the security team at Smartsheet, key learnings he brought with him from his time at Facebook, and what teams often get wrong about security. Here are a few of the lessons from the episode on what teams can do to make security initiatives a business enabler.
Identify What You’re Not Going to Focus On
Peter says that it’s important to set priorities early on to ensure that the team stays focused on high-impact activities. Small teams often end up playing a continual game of catch-up, trying to tackle issues as they come up. But this approach means that teams get stuck putting out fires. They might then neglect more strategic initiatives that would have a long-term impact on the business:
[W]hen you’ve had a rational threat-based prioritization on the things that you’re not doing and you’ve decided that for whatever reason you can put that down, it can help keep you focused on the things that you are going to go to and do really well.
By setting clear parameters around the security team’s priorities and being explicit about what they should not work on, the team become more efficient with their time and make a more meaningful impact on the business.
Align Security and Engineering Goals
Finding a balance between shipping things quickly and shipping things securely is a constant struggle for many teams. Peter shared that taking a mindset the security team should enable the business and the engineers to be more effective has been an important part of building a scalable team.
It’s not saying that we’re going to accept all the risk or ignore all the things, it’s challenging us as engineers to be more creative, more thoughtful and think about deeply, “How do we get to that ‘Yes?’ What’s necessary to get us there?
Peter also noted that having Security sit with the Engineering team makes a big difference in keeping teams in alignment over time. At Smartsheet, Peter’s team reports into the CTO, which helps ensure that security goals stay closely tied to product development. This also helps avoid an “us vs them” mentality that can crop up when the teams are siloed.
It’s really important for the security team to be thought of as a partner and a collaborator and equivalent to your engineering teams, so that there’s both an equilibrium but also a really good collaboration that can form around that.
Collaborate for a Culture of Security Ownership
Collaborating cross-functionally with other teams, from sales and marketing to legal, is another important component of a well-run security team’s day-to-day.
If you’re not thinking about how to help educate and communicate risks to your company broadly so that then those folks, all those individuals can go and help identify risks that maybe you’re not going to have insight into, then you’re missing the boat.
Peter notes that, for many organizations, security often drops off the team’s priorities after things get shipped. He says that the security team should ensure that the entire team has insight into the information they need to keep tabs on the application over time. His team’s responsibilities include maintaining dashboards that help give other teams insight into
Making sure that the right information on what needs to be monitored and how it should be monitored gets to the team that does the monitoring is another important thing that app sec folks will help facilitate as they’re working with a particular feature team to bring a feature to market.
Learn More from Security Leaders at DevGuild: Enterprise Security
Establishing and scaling security initiatives is challenging but essential, especially for organizations catering to enterprise customers. But getting it right can be challenging. At DevGuild: Enterprise Security, we brought together CISOs and security leaders to discuss the distinct challenges faced by developer companies. Watch the sessions here and check out other security content in the Heavybit library.