It’s an oft-repeated mantra around here that security is everyone’s responsibility. But it is easier said than done. This blog explores how Thoughtworks introduced a new security approach, to empower product teams and enable accountability among team leads. The new approach ensures teams and leaders are informed of and responsible for security risks.
Our InfoSec (or Information Security) team is a ‘first responder,’ working with both client-facing and internal product delivery teams.The InfoSec team is a bridge between technologists, legal teams and the client or internal product owners. This twin role gives the team a reasonable insight into the challenges of improving security – after all, if the InfoSec team finds it hard to get right, it’s likely others face similar struggles.
One of the biggest challenges for the InfoSec team has been to change how and when teams thought about security.
Conventionally, security ends up being an afterthought and has been reactively implemented across most teams, only after an impact is felt. Teams have involved the InfoSec team only when they were already stuck in their security journey, after key decisions had been made and it was too late in the feedback cycle of product development/delivery. Additionally, chances of the InfoSec team becoming a bottleneck increase when a triple threat occurs: the InfoSec being low on bandwidth but called in quite late in the day and for an urgent security-related challenge.
In the effort to create a mindshift in how teams approached security, the InfoSec team adopted a ‘security consulting’ model by conducting regular half-hour calls with leads and interested members of the internal delivery teams, to discuss security vulnerabilities, tooling, project tasks and the progress of monthly tasks.
The problem was, these calls were more akin to status updates, rather than rich discussions on secure product delivery. The nature of these calls resulted in the wrong perception that ownership and accountability of a secure product was InfoSec's problem to solve. Sometimes, leads were unaware of the security requirements required for their product and found it difficult to incorporate security within their functional roadmap. And sometimes, team members who were enthusiastic about security did not feel empowered to act.
Learning from these missteps, the InfoSec team adopted a new modus operandi. Here are the the three goals and guiding principles the InfoSec Center of Excellence (CoE) adopted when rolling out the new approach:
Goals:
Help teams plan for the road ahead
Make it feasible and scalable to support the team
Make progress visible and measurable to ensure data driven decisions
Leveraging the DevSecOps manifesto, we implemented these guidelines::
Build security in rather than bolt it on
Rely on autonomous development teams rather than security specialists
Implement features securely rather than security features
Use tools as feedback for learning rather than end-of-phase stage gates
Build on a culture change rather than policy enforcement
Rolling out the new InfoSec approach involved
Avoiding the use of external triggers to force a change
Reinforcing the value of ‘why’ rather than how to achieve maximum security
Nominating a person for action rather than waiting for someone’s voluntary participation
Allowing the data to tell the story
The next blog in this series delves deeper into each of the above steps that helped roll out the security consulting approach at Thoughtworks.
Disclaimer: The statements and opinions expressed in this article are those of the author(s) and do not necessarily reflect the positions of Thoughtworks.
