The Cultural Triad: How to Embed Security into Company Culture with Partnerships, Cooperation and Collaboration
February 10, 2022

Michael Eisenberg
Coalfire

To arrive at a risk-based product development lifecycle, there must be a risk-based culture. While nearly everything can be automated these days, the source code for early-warning risk management starts with people and teams, not machines.

Software development has worked in its own silo for generations, and traditional DevOps has allowed for this vacuum with little to no security involved. Since security is now a process of continuous integration and deployment, it is mission critical for CISOs and the DevSecOps teams to engage in deeper conversations together to start working through the obstacles. The ongoing proliferation of data breaches, bad actor disinformation campaigns, and the endangerment of customer data demands it.

But how does one begin to embed security into company culture? Let's start with the cultural triad — then discuss how to get there.


The Cultural Triad: Partnership, Cooperation, and Collaboration

When the CISO brings the DevSecOps initiative to the C-suite, it should stream into the very fiber of the organization. It must be embraced from above, without indifference, dismissiveness, or passive aggression. By top-level management embracing this framework, the CISO can more effectively set the playing field for seamless integration throughout the organization.

Foster partnerships. Application development and product managers typically don't go to security folks. To begin this pivotal partnership, security folks must go to them. There may be pushback and indifference at first, but to receive cooperation from all parties, it's imperative to overcome communication challenges in pursuit of DevSecOps success. Understand that development may have legitimate grievances with security or executive leadership, so tread carefully and address those grievances in a respectful way.

The best way to start the conversation is from the standpoint of customer priorities. Start talking with designers, developers, and engineers about the customer's threat perspective. The customers need assurance, and if they don't get it from you, they'll go somewhere else that provides and certifies it.

Seek cooperation. Once the security conversation with DevOps is underway, set the table with expectations. If agile methodologies are a part of software development's DNA, now is the time to integrate security into that DNA. In the new development lifecycle, security is everyone's responsibility, so be sure to clarify and delegate ownership and accountability. Leverage the organization's mission and purpose to merge security with quality and infuse it into the company's culture.

Embrace collaboration to drive revenue growth. After addressing the need for DevSecOps from a customer perspective, everyone should focus on management's prime directive: revenue growth. Corporate officers and directors are measured and compensated by how well they deliver benefits to shareholders. A breach, a fine, or lost customer trust will have dramatic and direct impact on this calculation. Security can no longer be viewed solely as a cost center; instead, it is essential to generating revenue.

A collaborative corporate mindset empowers employees with more portable skills that enable career advancement and instills confidence in their technical abilities. It also embraces the principles of diversity, equity, and inclusion to create a mosaic of ideas and backgrounds. With this recognition, everyone is better equipped to understand their role, and how they can contribute unique skills and perspectives to the “security-focused” company culture in a meaningful way.

Security Leaders Can Lead the Transformation

Secure products have become value propositions and trigger points for purchasing decisions. The secure product lifecycle is closer than ever to everyone's core business, and everyone knows it. Customers expect it, and marketing is talking about it. Security has become more cross-functional by necessity, and with that, the surrounding corporate culture that supports it. A risk-based culture focused on threat modeling and the logical prioritization of vulnerabilities makes all this possible.

Security leaders are in the perfect position to help create a risk-based culture. Developers need to exercise risk-based team collaboration through cooperative partnerships. Examples:

■ Partner with someone in security to run tests on what they're building

■ Use procurement and vendor management to validate desired third-party software

■ Work with legal to sort out open-source contract issues

■ Communicate with marketing in putting a public face on the secure app they have created

That's a lot of people, and many teams to work with, compared to the smaller microcosm of stakeholders that developers typically interacted with 10 to 15 years ago.

Ask questions. Ask for help and advice. Role play, humanize and align. Partnership, cooperation, and collaboration are the cultural disciplines that bridge the gaps between development and security operations, and into the new methodology of DevSecOps. The alignment created through a risk-based culture strengthens the development lifecycle and produces better applications that protect the customer, the product, and the company.

Michael Eisenberg is VP, Strategy, Privacy, Risk, at Coalfire
Share this

Industry News

June 23, 2022

Akana by Perforce now offers BlazeMeter to customers, previously a solution with Broadcom Layer7.

June 23, 2022

Coder announced the release of a new open source project that gives developers and data scientists a consistent, secure, yet flexible way to create cloud workspaces in minutes.

June 23, 2022

GitGuardian is announcing a series of new features to address developer experience in securing the software development lifecycle.

June 22, 2022

OctoML released a major platform expansion to accelerate the development of AI-powered applications by eliminating bottlenecks in machine learning deployment.

June 22, 2022

Snow Software announced new functionality and integrations for Snow Atlas, a purpose-built platform that provides a framework to accelerate data-driven technology decision-making.

June 22, 2022

Traefik Labs launched Traefik Hub, a new cloud service that eliminates the complexity of management and automation of Kubernetes and Docker networking at scale.

June 21, 2022

The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the new Open Programmable Infrastructure (OPI) Project.

June 21, 2022

Docker announced the acquisition of Atomist, a company founded to improve developer productivity and keep cloud native applications safe.

June 21, 2022

SmartBear released BitBar, an all-in-one web and native mobile app testing solution.

June 16, 2022

Armory announced general availability of Armory Continuous Deployment-as-a-Service.

June 16, 2022

Infragistics announced the launch of App Builder On-Prem.

June 16, 2022

LambdaTest launched Test-at-Scale (TAS), a test intelligence and observability platform, to help development teams with shift-left testing.

June 16, 2022

NetApp announced continued innovations and solutions to provide enterprises with more simplicity, more security and more flexibility for their hybrid multicloud environments. These new capabilities include improved ransomware protection, hybrid cloud storage in a single subscription, unified management in a single user interface, and close collaboration with VMware to help transition workloads to the cloud.

June 16, 2022

Code Intelligence announces $12 million (11M€) in Series A funding led by Tola Capital.

June 15, 2022

Keysight Technologies and Sauce Labs have partnered to deliver cloud-based testing of enterprise applications on mobile devices, browsers and secure desktops.