Building (TLDR)

Shadow Teams

• Avoid “shadow IT” anti-patterns:
  • Security is hired into a non-engineering reporting chain
  • Security is excluded from engineering roadmap discussions
  • Security makes unique technology choices and owns separate source code management
  • Security lower and has inconsistent hiring and interviewing standards
  • Security has lower and inconsistent development and deployment standards (style, peer review, testing)

Engineering Identity

• Builders should be indistinguishable from their partners: IT, Product, Engineering
• Share identity with partner organizations:
  • Security reports to engineering leadership.
  • Planning and roadmapping should be inclusive of security efforts.
  • Security shares the organizations technology standards and development practices.
  • Security hiring maintains and contributes to the hiring bar.
  • Security mitigations are rolled out with product launch / deployment standards.

Ownership Philosophy

• Philosophy of fixing security issues with no clear owner
  • Security is not catch-all bug dumpster
  • Security does step in for unowned or specialist problems
  • Culture, values, leadership, and “whole team” approach to sharing the work.