The Struggle of a CISO: Trying to Get Dev Teams on Board with Security

Hey everyone! I wanted to share a story about a Chief Information Security Officer (CISO) who’s been having a tough time with their dev teams. If you’ve ever felt like you’re fighting an uphill battle to get people to care about security, this one’s for you.

So, picture this: you’re a CISO, and you’ve just joined a company with an army of developers. In your last role, security was built right into everything the devs did. Vulnerabilities were flagged automatically, and issues were tracked and resolved like clockwork. But here? It’s chaos.

What’s Going Wrong

The dev teams are pretty much doing their own thing. They have dashboards with all the security data—vulnerabilities, issues, and so on—but after that? It’s like, “Here’s the info, good luck!” No clear rules, no structure, no guardrails.

Unsurprisingly, security has taken a back seat. Everyone’s focused on cranking out features and keeping operations running. Meanwhile, vulnerabilities are piling up.

The Search for Solutions

The CISO wanted to fix this but wasn’t sure where to start. They asked around and got some advice from experienced security folks, which I thought was worth sharing:

1. Find Someone Who’s Willing to Help - Instead of trying to fix everything at once, find leaders in the company who are open to working with you. Start small with those teams and build a better process together.

2. Figure Out What’s Missing - This is about doing a gap analysis (fancy term for figuring out what’s broken). Tools like the DevSecOps Maturity Model (DSOMM) can help show how far off you are from having a solid security setup.

3. Make It Easy for Devs - Let’s be real—developers don’t want extra work. Tools like Snyk can automatically scan for vulnerabilities, so devs don’t have to. For API security, tools like Akamai or Salt that can cover everything, even those sneaky “shadow APIs” you didn’t know existed.

4. Standardize Things - If every dev team has its own CI/CD pipeline, it’s a mess. Working with DevOps to create a consistent system across the company can make it easier to build security into the process.

5. Don’t Be a Jerk About It - Nobody likes being told they’re doing it wrong. Instead of pointing fingers, explain how better security helps everyone. It’s about teamwork, not blame.

The Lesson

This CISO is still figuring things out, but they’ve already learned an important lesson: fixing security problems in an immature organization takes time and patience. Start small, find tools that make life easier for everyone, and focus on building good relationships.

If you’re in a similar situation, just remember—you don’t have to fix everything overnight. Take it one step at a time, and eventually, you’ll get there. Security is a marathon, not a sprint.