Rich Smith on redefining success for security teams and managing security culture
The O’Reilly Security Podcast: The objectives of agile application security and the vital need for organizations to build functional security culture.
In this episode of the Security Podcast, I talk with Rich Smith, director of labs at Duo Labs, the research arm of Duo Security. We discuss the goals of agile application security, how to reframe success for security teams, and the short- and long-term implications of your security culture.
Here are some highlights:
Less-disruptive security through agile integration
Better security is certainly one expected outcome of adopting agile application security processes, and I would say less-disruptive security would be an outcome as well. If I put my agile hat on, or could stand in the shoes of an agile developer, I would say they would have a lot of areas where they feel security gets in the way and doesn’t actually really help them or make the product or the company more secure. Their perception is that security creates a lot of busy work, and I think this comes from that lack of understanding of agile from the security camp—and likewise of security from the agile camp.
Along those lines, I would also say one of the key outcomes should be less security interference (where it’s not necessary) in the agile process. The goal is to create more harmonious working relationships between these two groups. It would be a shame if the agile process was slowed down purely at the expense of security, and we weren’t getting any tangible security benefits from that.
Changing how security teams measure their success
If you’re measuring the success of your security program by looking at what didn’t happen, the hard work your security team is doing may never really be apparent, and people may not understand the amount of hard work that went in to prevent bad things from happening. And obviously, that’s difficult to quantify as well, from a management perspective. This often has had the unfortunate side effect that security teams measure themselves and measure their success from the perspective of bad things they stopped from happening. That may well be the case, but it’s hard to measure, and it’s actually quite a negative message. It can push security teams into the mindset that the way they can stop the bad things from happening is by trying to make sure as few things change as possible.
Security teams should measure themselves on what they enable, and what they enable to happen securely. That’s a much more tangible and positive way of measuring the worth of that security team and how effective they are. Any old security team, whether it’s good or bad, can say no to everything. Good security teams understand the business, understand what the development team is trying to get done. It’s really more about what they can enable the business to do securely, and that’s going to require some novel problem solving. That’s going to mean that you’re not just going to take solutions off the shelf and throw them at every problem.
Evaluating your organization’s security culture
Every company already has a security culture. It may not be the one they want, but they already have one.
You need to build a security culture that works well for the larger organization and is in keeping with the larger organization’s culture. I think we absolutely can take control of that security culture, and I’ll go further and say that we have to. Otherwise, you’re just going to end up in a situation where you have a culture that is not serving your organization well.
There’s a lot of questions you should be considering when evaluating your culture. What is your current security culture? How does the rest of the company think abut security? How does the rest of the company view your security team? Do people go out of their way to include the security team in conversations and decision-making, or do they prefer to chance it and hope that they don’t notice and try to squeak under the radar? That says a lot about your security culture. If people aren’t actively engaging with the subject matter experts, well, something’s wrong there.