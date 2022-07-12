Part one laid the foundation for our Information Security Center of Excellence’s (InfoSec CoE) new approach to getting Thoughtworks teams and leadership to adopt seamless security thinking. Part two elaborates on what went into the roll out of the security consulting approach, on the ground.

#1 Avoid forcing a change with the use of external triggers



Project management tools help teams identify (or visualize) and understand requirements, next priorities, bugs and defects. The InfoSec team also started visualizing requirements by providing a snapshot of priorities.

This empowered teams by letting them plan their security journey and incorporating requirements as part of their roadmap. Controls were created to move a card into analysis and development alongside a sanity check.

This approach not only supported the teams’ current working style but allowed security champions to lead, mentor and train the team. This workflow with security controls resonated with the team’s way of working and indirectly supported the sec champ or security champion’s journey in magnifying AppSec’s in the organization.

For instance, instead of dropping monthly ad-hoc security requirements, the InfoSec team created a list of controls for product teams that helped them navigate the security journey. The controls were mapped to the delivery phases and aligned with the Build Security In (BSI) cycle.