- Avoid “shadow IT” anti-patterns:
- Security is hired into a non-engineering reporting chain
- Security is excluded from engineering roadmap discussions
- Security makes unique technology choices and owns separate source code management
- Security lower and has inconsistent hiring and interviewing standards
- Security has lower and inconsistent development and deployment standards (style, peer review, testing)
- Builders should be indistinguishable from their partners: IT, Product, Engineering
- Share identity with partner organizations:
- Security reports to engineering leadership.
- Planning and roadmapping should be inclusive of security efforts.
- Security shares the organizations technology standards and development practices.
- Security hiring maintains and contributes to the hiring bar.
- Security mitigations are rolled out with product launch / deployment standards.
- Philosophy of fixing security issues with no clear owner
- Security is not catch-all bug dumpster
- Security does step in for unowned or specialist problems
- Culture, values, leadership, and “whole team” approach to sharing the work.