In my experience, engineers are sometimes scared — for real — to join a meeting with a security team.
Lots of engineers I’ve met had bad to at least poor experience in the past with security folks who either shouted over them or were blocking all initiatives and defaulting to NO each time someone asked a question.
To build a culture you need to show empathy and understanding of your co-workers’ intentions. No one really is breaking security just to annoy you, because they simply have no time to play games with you.
People have their own duties and responsibilities and are often forced to cut corners, and if you’re not making their life easier, they’ll find a way to go around you and get the work done regardless of your policies and procedures.
Create friendly atmosphere during your meetings and spend most time listening
Listening is good, throwing silver bullets and expressing your genius not so much.
People you’re working with are really smart and eager to improve their code if you approach the subject in a tactical way.
If you aren’t a savvy leader and speaker yet, it’s a good idea to join other non-security related meetings and learn how they’re being ran. Make notes, learn, observe people’s behavior so you can make the best out of all those meetings and then apply to yours. In general, meetings aren’t the most liked thing by engineering departments. If you make security meetings productive and friendly, your co-workers will be amazed to see someone who fixed — ever disliked — meetings and improved the bad experience they had in past with other security teams.
The approach that works best for my meeting is spending most of the time on listening to the team giving me a thorough product description when I just quietly sit sometimes asking questions but without throwing any outstanding advice(yet). Then I ask what do they feel like wasn’t done the best because of lack of time or expertise — this concept is gold, because who’s the better source of information than a person who wrote given chunk of code — and then I provide my insights but keep them in neutral tone, not preaching but just giving a food for thought. I ask what do they think about idea to do something a bit different way and I explain my POV clearly and calmly including information like why is this important and how they or our business can benefit from it.
After the meeting I’m reviewing all the notes I’ve made and data they sent me so I can come up with guidelines and send them over to the team to take a first glance over it and become comfortable with my requirements. On the next meeting or an online call we spend more time on myself explaining given items and now they’re the ones asking questions to which I must respond nicely without embarrassing them or causing any negative experience even if they didn’t know something basic, because if someone step out to ask a question he should be appreciated, not demotivated by your ego.
All that back and forth makes sense, because if you drop too many information on their heads during the first meeting it feels overwhelming and aggressive. Even if you see all the flaws and suggestions during initial meeting, try to stop yourself from bombarding them with all that, unless you really don’t have much time to afford the polite game. Surely you can give them an initial feedback but keep in mind that they can’t leave the meeting overwhelmed.
The first meeting is meant to create good relationship with a team and the second one is where things actually happen, but without prior, results may be poor and against expectations.
During second meeting we decide if it’s all good or I need to adjust some of the guidelines so the a team feels better about it.
We’re there to serve others, no other way around so sometimes you’ll must to get into back and forth with improvements in your plan to find the most practical solutions. But it’s worth it, because at the end of the day counts only this counts — improvement is there and people are executing on security and they’re not afraid of you.
Learning how to run effective meetings and how to persuade people are essential components to make corporate security programme practical. If you master social skills, almost everything else becomes bread and butter.
Dawid Bałut 