How CIOs Can Bring Security And Development Teams Together

The two aspects of business can often butt heads, notes Deft CISO Thomas Johnson.

Security and development teams can sometimes seem at odds. Security can feel like development isn’t careful enough; development can feel like security is holding them back.

Thomas Johnson, Chief Information Security Officer at Deft, a Chicago-based company that offers cloud-native software development, AWS consulting, cloud infrastructure and global data center services, has seen his share of conflict. But with the right approach, harmony can be found to the betterment of the organization overall. We spoke with Johnson about the importance of good communication, a healthy culture and the role of the CIO.

Why do security and development teams often clash within their organizations?

Often, their objectives are at odds with each other. Security teams prioritize certainty and due diligence, while development teams are incentivized—and pressured—to create and deliver quickly. This can lead to tensions between the two teams: development teams feel held back by security protocols while security teams, looking to minimize risk, slam the brakes on innovative projects they feel increase the organization’s risk vectors and overall risk profile.

A lack of communication can also lead to internal clashes. By maintaining open lines of communication through the duration of a project, developers won’t have to go back and retrofit a service after they think it’s “completed.” Likewise, security won’t have to worry about any potential incidents because they’ll know they’ve been addressed each step of the way.

Rather than spending time reacting to costly incidents, it’s better to take the time to proactively alleviate security risks before a new service or application goes live. If security and development teams both understand why it’s critical they work together, it can temper any potential cross-departmental clashes.

What happens when security and development teams have conflicting objectives or are at odds with each other?

This can lead to any number of bad outcomes: prolonged development cycles, security breaches or information leaks, and, perhaps most importantly, an unhealthy culture within the organization. One possible scenario: developers will be less likely to identify creative solutions and try new approaches to business problems if they think they’ll only be stifled by security measures. An even worse case: developers just push forward and don’t engage anyone on the security team until it’s too late. In both situations, if security teams feel they’re being shortchanged, they’ll be less likely to embrace innovative cloud-based projects.

When different teams across an organization face conflicting objectives, it’s also a sign of a lack of organizational alignment at the business level. It’s the responsibility of leadership to, first, ensure every facet of an organization understands their role in relation to the overall goal of the business and, second, realizes how other teams can help them achieve that goal. In short, everyone needs to know they’re on the same team.

How can security and development teams work together to align their objectives?

First and foremost, by maintaining open streams of communication. You’re probably sensing the communication theme here now. Whenever there are plans to launch a new application or service, security and development teams should meet to discuss objectives and concerns. They should consider the business objectives of the projects, potential security implications in the case of an outage or breach, and how confidential data is used and protected.

Throughout the software development cycle, each team needs to understand the role they play in relation to other teams around them in the pipeline. Beyond that, they need to be able to openly and consistently communicate the importance of that role and ensure its objectives can be realized in line with the rest of the business. If that’s impossible, it can be indicative of larger strategic breakdowns across the organization.

Development teams need to be able to communicate the advantages and risks of a given solution to the folks on the security side, and security teams should be ready to collaborate from the very beginning.

What advice do you have for CIOs looking to foster a collaborative approach to security and development within their organization?

Empathy. First, acknowledge and understand the frustrations of development and security teams. Security teams don’t want to create more work for their developer counterparts. They just want to ensure the company and its customers are protected. Developers aren’t purposefully flouting security protocols, they’re just not aware of the risks. Understand that everyone is on the same team.

Second, don’t advocate for security over development or vice versa. Both are non-negotiable goals, and as CIO, you have the tools and the influence to achieve them. You should be an advocate for secure, innovative tech initiatives that connect to your organization’s business goals—and each part of that advocacy role is equally important.

Finally, embrace challenges between teams as opportunities to streamline communication and identify the tools that will eliminate similar problems in the future. Approach any conflict from a place of understanding. When I need to lock down a database, my developer teammates know it’s not because I want them to jump through hoops. It’s because I want to protect our customers, ensure we keep our certifications and contribute toward the betterment of our company. 

Get the StrategicCIO360 Briefing

Sign up today to get weekly access to the latest issues affecting CIOs in every industry


Strategy, Insights, Action

In our weekly newsletter, get insight into the biggest issues facing CIOs, along with strategic ideas, solutions, and interviews.

Strategy, Insights, Action

Once a week, get insight into the biggest issues facing CIOs, along with strategic ideas, solutions, and interviews.

Your information is secure – we don’t sell or rent your data to any third-parties.