Security and Development: How to Manage Disparate Goals
March 2nd, 2017 | By Shaumik Daityari | 3 min read
Security and development teams have traditionally been separate organizational units of an IT firm, with their tasks well defined. Development teams primarily focused on design, implementation, and maintenance of applications, whereas the purpose of a security team was to monitor their network security (primarily on the server side) and solve security incidents. Decades ago, this structure of keeping the development and security teams as separate units worked fairly well, because their jobs did not overlap much.
In recent years, due to the advancement of technology and the emergence of innovative security threats, the boundary between the development and security teams has grown thinner. Their tasks have become interlinked as security is an integral part of the applications that are developed. However, as development and security teams are still separate entities within the organization, there is a friction between these teams if their goals are not aligned towards the same direction.
The cause of this friction is a phenomenon known as subunit orientation, which is a tendency to view a role within an organization strictly from the perspective of their own subunit. This simply means that a developer would give priority to their development goals over security goals, and vice versa for a security professional. Therefore, the need of the hour is to align development and security objectives towards a common goal and increase collaboration to meet the challenges of this changing scenario.
The philosophy of DevOps, which has gained popularity over the last few years, has interlinked these tasks to increase the efficiency of the firm by reducing rework and fixing issues as they develop. Let us now look at a few DevOps paradigms, specific to our case with the objective of increasing collaboration between your development and security teams to enhance productivity.
The first step to bring in collaboration is to change the traditional mindset of separate development and security teams with completely different goals. To do so, an organization needs to promote a culture where these departments consider themselves a part of a common, larger team with one ultimate goal. By aligning the goals, each team would know the bigger picture and avoid diverting from that view. Further, each team needs to understand and respect the roles and goals of the other team and give them due consideration when undertaking their day-to-day activities.
Such a mindset may be achieved by focusing on delivering a superior product for the customer. Brainstorming may be done at the initial stages of a project to better understand how goals of various teams fit into the overall value proposition of the product, thus resolving possible conflicts at later stages.
A step in the right direction could be to bring both departments under the same roof and make them (or the unit heads) report to the same person. This way, the top-down goals are of both departments are aligned, and possible conflicts in their tasks are avoided. This step also removes the problem of subunit orientation, as the larger objective of each of these teams is to achieve the same goal.
As security is embedded in the software development process, members from the security team may be put into projects of software development as consultants. This ensures that security goals are aligned and security policies of the firm are followed right from the design phase, which minimizes the possibility of rework later. This also helps the security team to be aware of the goals of the development teams, which reduces the possibility of conflicts.
An example where this might be helpful is to combat client-side security threats. Traditionally, security teams have focused on server side threats, but client-side threats like the Man in the Browser attack, which are undetectable on the server side, may cause huge financial losses to a business. By working with the development team, the security team can provide solutions to work on client-side threats too.
Traditionally, a security team worked in the background, tirelessly working to make your product safe from cyber attacks. However, with an active role in the development process, security may be bundled with a product offering to improve the value proposition to a customer. Enhanced security in a product might also help a firm provide a differentiated offering as compared to its competitors, gaining an edge in a competitive industry.
Yet another way for collaboration of security and development teams is to work together on security incidents. One step could be to merge the issue trackers of development and security teams, thereby developing an ability to clearly define and track activities for various incidents. This process would improve the efficiency and responsiveness by making use of the synergy of working together.
In the modern competitive environment, it is necessary to use resources efficiently to survive and grow. Getting the development and security teams to work together through modern day DevOps paradigms will go a long way in achieving the objective of creating a lean organization.