Set common goals with management and executives
It rarely happens that engineers themselves don’t want to build security into their products for no reason. The problem is that very often in startups and SMBs, middle management isn’t held responsible for product security, and the only thing they’re rewarded for is if the feature-rich product is shipped. There is yet a long time till security will be by default included into quality assurance process and till everyone is aware of potential consequences of security negligence. If you don’t start from the top of an organization’s hierarchy there are small chances of succeeding with your security initiatives, because engineers don’t like to step out and do things their managers don’t want them to spend time on.
Before you start working with engineers, make sure you have support of execs, learn what are the business objectives in your company, what are the points of focus for management and then adjust your latter engagements basing on the data you collected. It’s hard to provide a generic recommendations because each organization and each exec is different, so you need to learn how to approach them on individual basis.
Senior management must be advocates of healthy security culture, otherwise it’s a Sisyphean task to do all the things from the bottom up.
No leadership, no time, no budget, no resources = no security improvement + your burnout.
Everyone is a target
This is a problem I often fall on while working with startups and SMBs, which tend to believe they’re too small to become a target. It’s actually the opposite — hackers and script kiddies come after the easiest targets and immediate profit first so they’re very likely to attack organizations with weak security posture.
Management needs to also understand that while big organizations can survive security breach, small ones can’t afford it because of public image reasons. If business providing enterprise solutions has stable position on the market and great product, most customers will stay because it’s expensive to transit whole enterprise to another solution, but if you’re a small startup that has been compromised, it’ll get overblown in social medias by competitors and PR/marketing-wise you’re finished.
This is really important message to convey because recently I’ve seen many article saying that “it’s cheaper to get hacked than secure an organization” which are nonsense and are doing a lot of harm to us who work with execs’ security awareness. Basic security isn’t that expensive and articles like that make more bad than good, so ensure everyone understands business risk management including dangers coming from social media scandals and get the solid perspective on why security breaches bring different results to different organizations.
You can earn some love from your marketing and sales people if they learn that you’re protecting the business to make their job easier, so they won’t need to explain to each prospect why you were hacked and convincing them that the company is in much better shape nowadays.
Settle down on authority at earliest possible
Security is an executive level issue so you just must to be in position to influence everyone else in the organization. You shouldn’t waste your time on back and forth discussions on why something must be done this and no other way around, just because you weren’t given enough authority to make stuff happen and you need to crawl to have management spend on security.
If you decide on authority and expectations at the earliest, you’ll save yourself from lots of anxiety and frustration, and unfortunately in some environments/situation the authority is the only thing that helps.
Simply saying, you need to be in power on management level to make a difference and be productive. Being at the lowest of an organization chart, you’ll have hard time working with non-security savvy management who has no interest in focusing on security.
If they’re only punished&rewarded for shipping working product on time, they won’t want to invest in security which almost always slows down development process, so execs must make it clear that products security is a part of quality and should be treated as a regular, acceptable software development cost.
Everyone needs to know the value of security initiatives, because you don’t want to end up fighting with management. Firstly it’s is burning out experience and secondly it creates a toxic atmosphere around security which is completely against our intent.
We should aim to make security something that brings exciting memories and lets people be proud of their work.
After all, with power comes great responsibility so always aim to lead your people instead of preaching just because you can. Use the position only in critical situations when everything else failed, but you must bring stakeholders attention because consequences of negligence may have negative business impact.
Dawid Bałut 