How to grow a security mindset in your team. A guide for tech leaders.
Popular articles
About me
My name is Mauro Bagnato and for over 15 years I have been leading tech organizations.
When I first stepped into leadership, I believed technical expertise was the key to being an effective leader. However, I quickly learned that organizations are living and complex systems and that leading them demands much more than just technical know-how. I believe that curiosity is at the heart of effective leadership. This is what fuels learning and experimentation, both crucial for continuous improvement. This blog aims to explore engineering leadership in all its aspects and to provide insights in a tangible and pragmatic manner. It will also be a space where I will share insights, reflections, and personal takeaways from books, podcasts, and articles that influenced and keep influencing my journey.
Find out how I can help you!
It is hard to believe it, but SQL injection is still one of the top vulnerabilities.
I don’t think it’s about technical competencies, the problem is elsewhere.
Let’s take a step back.
Over the years, I've noticed a recurrent pattern in tech companies:
- At some point in time, someone in the executive team recognizes the need to build more “security muscles”.
- The hiring process kicks off and security specialists come on board.
- Sooner than later, a dedicated security team is in place.
- Development teams and security teams grow in siloes, each with its own set of priorities and objectives. And very limited interactions.
- All of a sudden, security issues emerge and crash into the development team backlog demanding immediate attention.
- Development and security teams work together to fix the problem.
- When the dust settles, the cycle restarts at step 4.
Analyzing this pattern, it is clear to me that security is treated as an afterthought, something that lives outside the product development cycle.
The reason?
A lack of security mindset or security culture!
As I’m not a security guru I’m not going to delve into technical details here. Instead, my goal is to share some insights on how tech leaders can foster a security mindset without being security experts.
Here are some actionable insights based on my personal experience and a few helpful resources I’ve come across:
- Be the security advocate
- Help the team handle the "sec debt"
- Align incentives
- Set the right expectations
Be the security advocate
As a tech leader, you are likely part of many tech discussions. There is no better place to trigger wider and deeper reflections around security and emphasize its importance!
Powerful questions like:
- What are the implications of this decision from a security perspective?
- What risks are we running if we take this path?
- Would we benefit from having a security expert in this conversation to challenge our assumptions and beliefs?
Can open the door to alternative solutions/scenarios and, at the same time, plant the seed of security awareness.
If you are wondering what is the right context for firing these questions, my answer would be every meeting. “High-stakes meetings”, where architectural evolutions, tech strategies, etc. are discussed, may already factor in security considerations. It is often the apparently “less important” meetings, the everyday discussions, where the security perspective is missing.
In a few words, make every conversation an opportunity to grow the security mindset!
Help the team handle the "sec debt"
Handling technical debt is very demanding. Adding the “sec debt” to the mix looks like an impossible challenge. So, how can a development team cope with everything?
The answer is simple. The team does not have to cope with everything but just with what matters the most at any point in time. Security issues, as any other work item, should live in the team backlog and be prioritized. Prioritization can be a bit trickier though. It requires, in fact, proper risk assessment and impact evaluation.
Align incentives
The need for deeper collaboration between development and security teams is a no-brainer. Yet, it's puzzling why this is so hard to achieve.
Initiatives like holding regular joint meetings, encouraging cross-team communications, team embeddings, etc. often fail because they do not address the big underlying problem which is a misalignment of incentives.
The famous quote by Charles Kettering A problem well stated is a problem half-solved reminds me of the importance of surfacing and articulating the problem to have better chances to fix it.
The following set of questions can serve this purpose well:
- Do development and security teams share common goals?
- What metrics are the development and security teams measured against?
- How are the development and security teams’ performances going to be evaluated?
Set the right expectations
As a hiring manager, what do you expect from a security specialist?
A security guru with very deep technical competencies can solve tough problems but it is not necessarily the right person to foster a security mindset in the organization. This ambitious task requires more than technical competencies. Strong leadership and communication skills and solid change management expertise are equally, if not more, important.
Final words
It's time to recognize that security is not just a technical problem, but a mindset that should be embedded in every stage of the software development cycle. Tech leaders should not shy away because of a lack of competence, they (we) can be instrumental in driving the shift towards a more holistic security mindset.
