We are all familiar with the way organizations are typically structured along functional lines, such as sales, marketing, development, etc. However, this architecture can lead to a frustrating distance between areas that have to work together to complete a program, project, or even a task.
This is especially crucial to consider with security efforts. Whether separated by functional lines, product areas, physical distance, or any other kind of barrier, it's important to know how to get these groups on the same page.
At the Elevate 2021 conference, VP of Nomura Aruneesh Salhotra explained silo issues and how to improve application security.
Who is responsible for application security?
Even if your organization has a security department, it doesn't mean that department is wholly responsible for all aspects of security. While they may define policy, create governance, and implement tools, application security is everyone's job. When the InfoSec department looks for opportunities to improve security, this will usually involve working with other teams such as application engineers, DBAs, and software developers to improve their practices.
But how can organizations with such different mindsets come together under the same roof? One method is to consider a foundation.
What are the key pillars of AppSec?
Imagine a temple of security built in classical Greek architecture with multiple columns holding up the roof, protecting the sacred ground from the elements. Your applications are like the sacred ground, while the roof represents your security program. These pillars are necessary to protect your applications from the outside elements, which are often extremely harsh.
Key pillars of an AppSec program
What are the areas of an AppSec program?
AppSec programs can be separated into the following:
-
Adoption
-
Governance
-
Training
-
Tooling
-
Integration
Each of these concerns will touch on several groups within any sizable organization, as shown in the image below. This is where breaking down silos is of particular interest.
Swim lane diagram for AppSec programs
For example, let's look at training. A training program might involve several teams of application engineers, budgeting, and InfoSec, to name just a few. A security hackathon is one way to bring people from various silos together around learning while strengthening relationships between groups.
What are the impacts of silos?
Missing information among key stakeholders, missed deadlines due to coordination issues, and misunderstandings due to cultural differences are all evidence of silos. Cultural differences can be affected by differences in language, perspective, or lack of shared knowledge.
Unaddressed silos can lead to a variety of issues, including duplicated effort, inconsistent implementation, mismatches between departments, and even service disruption. Worse, they can leave security holes that result in breaches.
How can you bridge the gap?
There are several techniques that can be used to reduce these divisions. These techniques all amount to better communication, especially listening and empathy.
Some tactical strategies include:
-
Performing cross-functional training
-
Creating a clear vision
-
Coming together around common language and meaning
-
Bringing together representatives from various silos to share information
These efforts take good leadership. You can think of silos as tribes, as David Logan explained in his TED talk on tribal leadership. People naturally form tribes, which are groups of 20-100 people that share a subculture.
Good leaders introduce people from different tribes, thereby increasing the unity between tribes. If you're looking for a model for breaking down silos, this might just do the trick.
How will you break down silos?
Silos may exist for natural reasons, but the walls of these silos aren't invincible barriers. Viewing the walls as hard divisions can inhibit our ability to create good security around applications. Creating pathways of communication, creating a shared vision, and bringing people together around a mutual problem are all ways to break through these walls.
The benefits of opening the lines of communication can't be ignored. Security is everyone's job, and that shared responsibility exists whether or not we have silos.
How would you apply Aruneesh's advice in your own organization to create pathways between silos?
View the talk
A video of the Elevate 2021 full discussion is available.
Credits:
- Event summary: Phil Vuollet
- Photo: Donnie Rosie
- Made with LibreOffice and PhotoDemon
---
See our calendar of upcoming Sonatype events.
