Discover more from Boring AppSec
Edition 16: Using security teams as a force multiplier
In a tough economy, its useful to think about how we can add value outside our main job. Adjacent skills picked up as a security professional can help.
Over the last few weeks, I have enjoyed reading the soft side of cyber, an initiative by Robert Wood and Frank Domizio. I especially liked their framework on the soft skills needed to succeed in cyber security (and you know, dear reader, that I am a sucker for good frameworks :)). One of the reasons why building a Security program is so hard is that you need a team with a varied skill set (from tech chops to communication skills to program management and so on) just to get by. The upside is that any good Security professional who has spent time in the industry has picked up a few (if not all) of these skills. Editions 7 and 15 talks about using the rest of the organization as force multipliers to improve the Security program. This edition wonders if Security teams can leverage the skills they have to become force multipliers for the rest of the organization.
Security teams can leverage skills needed to do their job, in areas such as platform adoption, branding, incident management (non-security), internal training, program management and more.
Mapping skills and programs
The above diagram highlights 6 areas where Security teams can leverage their skills. Let’s dive deep into a few of them.
Tool/platform adoption: If you’ve ever helped in an AppSec/ProdSec team that has built a secure SDLC, you know the success of the program depends heavily on adoption by developers, DevOps, and engineering managers. No vulnerability management tool is helpful if none of the stakeholders use it well. This means good Security teams know how to nudge (sometimes force, beg) the rest of the organization to use relevant tooling. To execute this, the ability to sell/evangelize and the ability to communicate our ideas are important. This skill set can be useful to other teams who drive adoption among engineers. Does your QA automation team want to improve test coverage? Does leadership want all new features to move to a microservices architecture? Does your IT team want to stop requests on Slack and move to Jira tickets to address grievances? All these problems need folks with the ability to evangelize, persuade and communicate. Security teams can help you out!
Incident management: Things go wrong in production all the time. Security teams are involved only if probable cause of the incident includes an attacker with the intention to disrupt. However, in most cases, incidents are caused by human errors or dependency failures. A solid incident management program can help recover quickly, without adding too much fatigue to on-call engineers. If you are a battle-hardened security practitioner, but your organization is still learning the ropes of incident management, consider lending a hand. Your ability to prioritize (important for reducing fatigue) and communicate clearly (helps resolve incidents faster) can be invaluable for teams still learning the rope.
Program management: Security teams often have limited budgets using which they need to mature various parts of their program. Throw in regulatory uncertainties and new threat vectors and we have the perfect program management nightmare: High stakes programs to execute while having to respond to constantly changing requirements. Good security teams know exactly how to manage these seemingly contradictory requirements. Ruthless prioritization, the ability to manage stakeholders well, and communicating program status are key components of scaling security. The same skills are handy for all program managers. Whether you are managing a cost optimization project or a company-wide re-org, skills picked up by security program managers can be reused across the organization.
Branding: Improving customer trust is a key reason why companies invest in a security program. While many initiatives help build trust, talking about your program in public is a popular way of doing it. Some may dismiss this as security theater (that’s a debate for another post), but I think the Security community is excellent at branding itself. The scale of security conferences all over the world and the number of active local communities are proof enough. Security professionals who indulge in these activities can help brand your company’s engineering program too. From blogs to conference talks to supporting local meetups and sponsoring large conferences, Security teams have done it all. If you write well, offer editing services on your company blog. If you speak at conferences, offer help in submitting papers or getting over stage fright. Your PR team and fellow employees will thank you for it :)
This post may seem a bit hypocritical. We lament the shortage of talent in Security and yet, ask good security professionals to help out in other programs. However, in imperfect worlds and uncertain economic times, there are budget cuts and optimization projects, and there is attrition and an inability to hire. In these situations, an all-hands-on-deck approach helps the company and in turn, helps the Security team. It's an opportunity for individuals to help other teams and learn from them. Finally, if you want a break from Security, this could even be your way out (although, why would anyone ever want to leave this industry? :P).
Do you think it’s a terrible idea to divert scarce security talent in this way? Are there other areas where security teams can help? Product management perhaps or maybe tool selection? Tell me more about it! You can drop me a message on Twitter, LinkedIn, or email. If you find this newsletter useful, do share it with a friend, or colleague, or on your social media feed.