After having every job in information security (from log review to CISO), I took a break to spend time running production engineering for a major PaaS vendor. I learned a lot about the fine details of engineering management, but I learned a whole lot more about how security could be done more effectively. I'm back in the security world and starting to implement what I learned. Here's a little bit of insight that might make a difference in your world. But I might not stay - there are a lot of good ways to accomplish things, but I'm even less sure that security should be a separate discipline. Hard-won lessons to share.
Clearly describe the key points of interaction failure between engineering and security organizations.
Demonstrate an awareness of the knowledge and perception gap between engineering and security cultures.
Conduct analysis of their own organizational interactions to find opportunities for improvement.
10/27/21 11:04 pm