Confronting the Conundrum: Software development speed vs. security

Jon Zeolla

It has often been said — and to some degree tolerated — that myopic security teams cannot see the forest through the trees.  Caught up in their own world, seemingly unaware of the business need to deliver value, and get things done, they show up and throw a monkey wrench into what would have been a terrific new way of doing something.  Simply put, it feels like they can ruin everything.    

You appreciate they have a job to do and know, security is something that is undoubtedly beneficial to ensuring the business will be there today, tomorrow and for years to come.  But at the same time, there is this unyielding pounding on the wall from the adjacent room that is your security team.  The headaches just don’t go away.  

Why is it this way?  More importantly, does it have to be this way?  Is it possible for two disciplines that are incentivized differently, align?  All are excellent questions worth exploring.  This blog will argue that harmony and cooperation by design offers a viable path forward.

Difficult Interactions

Disconnections, even from far away, can be spotted when development teams come into contact with a security team.  Observations include the security team’s overbearing risk intolerance and unwillingness to give and take, making interactions infuriating. 

Predictability also plays an important role in the relationship between developers and security.  The potential of unplanned work, especially unplanned re-work, only frustrates and confuses.  Just when the project is near the end of the lifecycle, security drops the bomb that some new surprise requirement must be retrofitted before the project can be completed.

This dysfunction is often traced back to bad processes, preceded by bad planning, and muddled up by undefined or unclear expectations.  But beyond the inconsiderate attention paid to a business case and their seemingly unyielding penchant for risk aversion, a peel of the onion exposes other underlying issues besetting your security team.

Security Infirmary

On the other hand, the causes of the security team’s heartburn are numerous.  Like, being out of alignment with leadership expectations (like being GDPR-, HIPAA-, or PCI-compliant) or maintaining and supporting the security of a legacy tech stack.  This can drive the security team to work in circles, constantly reevaluating what is a true requirement and what is nice to have.  This disarray is often what pressures security teams to take the easy path of framing a specific implementation plan or more stringent controls as a requirement.  Sure, that approach covers the security team, but leaves the business prioritizing work that ironically could have been allocated to fixing the root cause, such as reducing tech debt and designing a more modern platform.

Adding to the problem, many security teams do not have the time or focus to implement automation, and the lack thereof causes ambiguity through miscommunication or human error.  There are very few scenarios where automation doesn’t add consistency, clarity or at least context to a given decision.

But we all know that automation is futile without good direction.  Knowing the goals and expected outcomes of a process, automated or not, are prerequisites to a useful result.  Operating a security program without some kind of framework such as NIST CSF, ISO 27001 or SOC 2 makes it difficult, if not impossible, to make reliable and predictable responses to security findings.

The 3C’s: Culture, Communication & Clarity

What has been laid out is too often tolerated as the status quo.  This is an unnecessary paradigm and yet it persists.  Possibly, the reason it does is that it’s hard work, both technically and politically, to overcome what has been introduced for so long.  Organizationally, it has been accepted that security processes slow things down, which creates a festering animosity across teams.  This is a culture issue, and culture change is essential to the next level of excellence.  Those unwilling to challenge this frontier will be left behind.  

In a recent article, it was revealed that 60% of developers struggle with unclear requirements.  It is not a desire to ignore security requirements, rather those requirements may not align with acceptance criteria for the business.  Having an approval process defined by feelings and not by facts can cause the developer’s struggle to as long as the security team is engaged.  Had there been better security criteria defined at the outset, available asynchronously through minimal and focused governance, and enforced during development through automation, security findings would become inconsequential as they are broken down into small, manageable chunks instead of project delays with a drastic impact. 

Thus, a change in culture must be adopted to continue progress in a cloud native world.  Fortunately, the fix is clear, and is founded upon improving communication that drives at clarity.

The Payoff

Investment in addressing these three Cs can result in increased velocity and efficiency for your organization.  Good coaching and direction will bring you balanced risk management, and brings your security team to a place where risks are evaluated in concert with the business and with a clear understanding of the big picture.  With a new focus on communicating clear expectations that are properly aligned with business goals, the security team can be the foundation of an improved culture that brings other positive company standards, such as blameless postmortems and regular feedback loops that lead to continuous improvement.

Seiso Can Help

Seiso is a cybersecurity consulting firm, specializing in being an agent of continuous improvement and change.  We bring a deep bench of specialists with an eye for modern security and business practices to address your critical challenges.  Our mission is to bring simple, elegant security solutions to enable businesses to operate in harmony.  Bridging the gap between traditional security programs and DevSecOps is just one of the many services we can offer.  We also provide deeply technical cloud and application assessments, security framework implementation, and day to day Governance, Risk, and Compliance operations.  Contact us to chat about your situation and see if we’re the right fit for meeting your security objectives.