What if security teams placed their people into each department, instead of their own?
This is the position I currently find myself in. Four out of five days I sit with the development team with the goal of improving security in the software development life cycle (SDLC). It is going really well. It's going so well in fact that I've started to wonder why we don't do this more?
There would still be a security operations center and some other roles, like pentesters, working in a security space, but why not place a person in network or the server team?
Being in the room with the developers I'm able to build strong relationships within the team. I'm a security resource for them to bounce ideas off of and gain clarification on various security ideas and concepts. This makes things tremendously easier when I look to establish security processes and practices for the dev team. They see me daily and know that security is a priority. They also know that I see their successes and their struggles and that my goal is to help them be successful.
I believe this can apply to other departments. If security is involved the day-to-day operations of a team we are seen more as a resource instead of someone holding them accountable. We are still holding them accountable. The difference is that they can ask us questions. Why are we doing it this way and not this way? I'm finding people are much more amenable to security initiatives when we can explain why it's important and it benefits them.
This post first appeared on Exploring Information Security.