Chapter 3. The Keys to an Effective Security Culture

In this report, I talk a lot about how security teams need to stop thinking about security as a blocker and to change security processes to reflect the ways DevOps has changed development processes. But if you change only the processes, your team won’t be successful. You need to change the culture of your security team, too.

The blocker mentality has fostered a security culture that tends to shut off the security team from the rest of the organization. But now that developers have the power to push code to production, the security team needs to develop a much more collaborative culture. We need everyone in the organization to understand and buy into security’s role so that employees who are trying to do their jobs don’t simply route around the measures security puts in place to protect the organization.

What consistently works for many organizations going through the DevOps shift is, on a day-to-day basis, focusing on incentivizing other teams to reach out to the security team. To clarify what that culture shift looks like, this chapter focuses on the cultural lessons that I really wish I’d known on day one at Etsy and how you can apply them to any organization.