Shadow Teams

  • Avoid “shadow IT” anti-patterns:
    • Security is hired into a non-engineering reporting chain
    • Security is excluded from engineering roadmap discussions
    • Security makes unique technology choices and owns separate source code management
    • Security lower and has inconsistent hiring and interviewing standards
    • Security has lower and inconsistent development and deployment standards (style, peer review, testing)

Engineering Identity

  • Builders should be indistinguishable from their partners: IT, Product, Engineering
  • Share identity with partner organizations:
    • Security reports to engineering leadership.
    • Planning and roadmapping should be inclusive of security efforts.
    • Security shares the organizations technology standards and development practices.
    • Security hiring maintains and contributes to the hiring bar.
    • Security mitigations are rolled out with product launch / deployment standards.

Ownership Philosophy

  • Philosophy of fixing security issues with no clear owner
    • Security is not catch-all bug dumpster
    • Security does step in for unowned or specialist problems
    • Culture, values, leadership, and “whole team” approach to sharing the work.