TL;DR / Summary at the end of the post. The information shared in this series is derived from my experience building the DevSecOps program at Thermo Fisher Scientific (a global Fortune 100 laboratory sciences company).
Full Disclosure up-front: I am employed as a Code Scanning Architect at GitHub at the time of publishing this blog post.
With the growing adoption of DevSecOps practices at large companies, security teams need to grow beyond immature, silo’d modes of operating in order to address the new set of expectations being placed on them. The maturity required to integrate seamlessly into modern development processes has changed significantly over the last twenty years, and so security must also change with the times.
As it stands today, Security Maturity - in terms of both teams and their technologies - can be measured across four stages based on the direction they’re heading (forward ➡️ or backward ⬅️), and the outcomes they produce. I think of these four stages in terms of breadth and depth as follows:
Few organizations reach this stage of security maturity, and fewer still maintain this level of maturity over long periods of time. Mature teams have mastered many of the challenges adolescent teams encounter by frequently practicing communication, coordination, and collaboration with stakeholders and leadership. Moreover, by having a team with the skills needed to scale, mature teams are able to produce exponential returns on the company’s security investments.
The most stand-out characteristic of mature teams comes from the way they communicate with leadership, colleagues, stakeholders, and dependent teams. Unlike immature teams who often lack empathy - or adolescent teams who often lack visibility - mature teams put a great deal of effort into mapping the problem space while taking the stakeholder’s success metrics into account.
By doing this, stakeholders and dependent teams often reciprocate - treating the security team with respect and understanding when an issue is brought forward. Knowing that the security team understands and values the business outcomes which stakeholders and dependent teams are responsible for goes a long way toward making informed decisions when it comes to accepting or addressing risks to the business.
In short, mature teams do not waste the time of their leadership, colleagues, stakeholders, and dependent teams with frivolous vulnerability findings or “the-sky-is-falling” rhetoric. Mature teams are confident about the risk decisions they make because they have built relationships on empathy, mutual respect, and understanding - all of which come from consistent and timely communications with colleagues throughout the business.
A natural outcome of good communication between mature teams and their colleagues is well-organized coordination on projects and initiatives. Leaders of mature teams often maintain a regular cadence of meetings with their peers who are responsible for stakeholder and dependent teams, allowing them to be informed of upcoming projects and initiatives the business is working to address.
By having this level of visibility - along with taking the opportunity to share their own tactical and strategic initiatives - leaders of mature teams prepare the business for any forthcoming changes. This helps to make space on the calendar, and allows experts within various teams to connect and begin preparations in advance of such changes. This, in turn, engenders networking across teams - and further develops relationships for future collaboration.
The friction that mature teams experience often starts when resources become oversubscribed - and when projects / initiatives run for too long. Having a rotation of talent moving through longer-running projects / initiatives helps ensure that everyone on the team develops some of their skills in a respective area, and reduces the likelihood that losing any one member of the team leads to the wheels coming off.
When mature teams generate positive outcomes in coordination with their colleagues - further collaboration naturally occurs. This is where companies really benefit from having mature teams, as many of the business needs can be addressed while also reducing risk(s). As I shared in my OWASP AppSecDay Australia keynote back in 2018 - security teams and their stakeholders can win together if they work together.
In fact, one of the strongest indicators of how mature a security team is can be found in how much collaboration they are performing with their stakeholders and dependent teams. Highly mature teams are frequently working in partnership with others to move the needle on reducing risk while streamlining business activities.
That said, most of the friction mature teams experience comes from having too many requests for collaboration, and not enough resources to take on all of those requests. This ultimately leads to a need for prioritization, and unfortunately relationships become strained when a stakeholder or dependent team’s requests are not prioritized. This is where strong relationships between teams, as well as sharing visibility into what security teams are working on (and why they’re working on them) adds valuable context - and builds trust.
How to support this content: If you find this post useful, enjoyable, or influential (and have the coin to spare) - you can support the content I create via Patreon.️ Thank you to those who already support this blog! 😊 And now, back to that content you were enjoying! 🎉
With mature teams, success comes from having visibility and understanding of the problem space(s) they are trying to address across the business. Through strong communication they build a network of connections that help keep them informed of ongoing projects and initiatives their stakeholders and dependent teams are working through.
Likewise, with ongoing coordination of efforts and collaboration on projects and initiatives, the security team is able to produce an exponential impact from the investments they make in partnership with the business. Although it should be noted that these exponential impacts often require teams that have the right aptitude, attitude, and level of engagement to drive progress.
The greatest fear most security leaders experience is that of stagnation. As I wrote about in my DevSecOps Essentials series, talent is the greatest return on investment companies can make with regard to their DevSecOps program. The moment companies stop investing in their talent, individuals will find another team (or another company) that will.
Likewise, teams will stagnate due to a lack of vision from their leadership - or a lack of investment in that vision by the company. For security professionals, such behaviors on the part of the company show a lack of understanding in how security can add business value and become a point of differentiation from the competition.
Worse still than a lack of leadership and investment, some companies hire unimpeachable security talent only to ignore and outright lie to shareholders over the state of their security once they learn the truth. We recently saw this happen with Twitter, but they are only the most recent public example of this behavior.
That said, security teams often start becoming geriatric when key talent and/or visionary leadership leaves - either for another role within the company, or for another company altogether. How slow this process of erosion occurs after key talent has departed is often a reflection of how well documented their process was - and how automated their technologies were. Some teams can stave off becoming geriatric by hiring new talent to fill the gap, but many companies fail to recognize how important it is to do so.
Mature teams are excellent communicators, and build strong relationships with stakeholders and dependent teams through frequent, ongoing efforts to communicate. This in turn leads to solid coordination between teams, as security teams are able to operate in lock-step due to the visibility, empathy, and understanding they generate through communication.
Likewise, as projects / initiatives are completed successfully in coordination with stakeholders and dependent teams, requests for further collaboration naturally occurs. This is where friction may start to present itself with mature teams, as too many requests for collaboration can stretch resources thin. Once mature teams reach this point, they have to prioritize their efforts - creating more friction with teams who’s requests have not been prioritized.
That being said, mature teams focus on generating and retaining talent within their organization, which allows for stronger relationships to be built across teams over longer periods of time - and helps to reduce friction between teams when priorities are not aligned. The strengthening of relationships over long periods of time allows mature teams to be successful because they know the history of how things came to be as they are, and both the visibility and understanding of what is needed to address risks to the business.
Unfortunately, as with all things time will eventually erode the quality of mature teams - leading them into a state of “geriatric” security maturity. Whether the business stops investing in their talent, or new leadership lacks domain experience and strategic vision - the outcome is the same: talent moves on to new things, and otherwise healthy processes / projects / initiatives / teams start to fall apart. How long this process of erosion takes will depend on how well processes have been documented, and how automated the team’s technologies are.
As always, thanks again for stopping by to read my pseudo-random musings 😊 While I work on the next blog post on Mature Technologies, you can
git checkout other (usually off-topic) content I’m reading over at Instapaper - or meander through my DevSecOps Essentials series to discover the worthwhile investments your DevSecOps program might benefit from.
In the mean time, remember to
git commit && stay classy!
If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thanks once again to those who already support this content!