4 Comments

This is a great take -- I largely agree but I suspect at the same time this is partially due to where the money is. In my experience companies with great software engineering disciplines tend to have higher expectations of their security team, and the security team expect more in kind. Just like in software engineering the most advanced teams/processes/etc tend to be found in the highest-performing organizations, the people tend to stay there too... and salary/benefits tend to be quite different as well. If the process and discipline knowledge is going to bleed out into more security teams in more industries I think there needs to be some external driver to promote this sharing.

Open-sourcing documentation for example is a good thing to do but it doesn't seem to be enough.

Expand full comment

That's a good perspective, Chris, I agree. When we look at the venture-backed companies in the Bay Area that attract the top engineering talent, they tend to have a great culture around security as well. Then, when we look at a company that is barely surviving with no funding and no revenue, their approach to security will mirror that to their software engineering in general. A good perspective!

Expand full comment

I’m not trying to be flippant, but is this not already happening? Who hasn’t received this message?

Security practitioners need to meet customers and partners where they are at and many (if not most) have already had to adapt to these ways of working.

Expand full comment

Haha good point, Sarah! I think many people haven't received the message to be honest :) I am an optimist, and when I talk to my friends at the top 5% cloud-native, venture-backed, high-maturity teams, I get WOWed by what can be done. Then I get out of that circle and talk to people in IT working for credit unions, schools, hospitals, and probably 80% of the regular businesses that even have someone that does IT & security, and I see a very different picture.

It can be tempting to look at the top 1% and think "well, it's happening", but the overall picture is that we aren't there yet. Mind you, this is only in the US. As soon as we look at Asia, South America, Africa, Eastern Europe (and frankly - Europe in general), the level of maturity we see is even lower. The top few percents of mature teams do talk DevSecOps, CI/CD pipelines, and continuous testing but many/most are hoping they can get budget to get a decent EDR. So YMMV.

Expand full comment