Enable javascript in your browser for better experience. Need to know to enable it? Go here.
Blogs Banner

Intro to security consulting: an impact-driven approach (part one)

It’s an oft-repeated mantra around here that security is everyone’s responsibility. But it is easier said than done. This blog explores how Thoughtworks introduced a new security approach, to empower product teams and enable accountability among team leads. The new approach ensures teams and leaders are informed of and responsible for security risks.


Our InfoSec (or Information Security) team is a ‘first responder,’ working with both client-facing and internal product delivery teams.The InfoSec team is a bridge between technologists, legal teams and the client or internal product owners. This twin role gives the team a reasonable insight into the challenges of improving security – after all, if the InfoSec team finds it hard to get right, it’s likely others face similar struggles. 


One of the biggest challenges for the InfoSec team has been to change how and when teams thought about security.


Conventionally, security ends up being an afterthought and has been reactively implemented across most teams, only after an impact is felt. Teams have involved the InfoSec team only when they were already stuck in their security journey, after key decisions had been made and it was too late in the feedback cycle of product development/delivery. Additionally, chances of the InfoSec team becoming a bottleneck increase when a triple threat occurs: the InfoSec being low on bandwidth but called in quite late in the day and for an urgent security-related challenge.


In the effort to create a mindshift in how teams approached security, the InfoSec team adopted a ‘security consulting’ model by conducting regular half-hour calls with leads and interested members of the internal delivery teams, to discuss security vulnerabilities, tooling, project tasks and the progress of monthly tasks. 


The problem was, these calls were more akin to status updates, rather than rich discussions on secure product delivery. The nature of these calls resulted in the wrong perception that ownership and accountability of a secure product was InfoSec's problem to solve. Sometimes, leads were unaware of the security requirements required for their product and found it difficult to incorporate security within their functional roadmap. And sometimes, team members who were enthusiastic about security did not feel empowered to act.


Learning from these missteps, the InfoSec team adopted a new modus operandi. Here are the the three goals and guiding principles the InfoSec Center of Excellence (CoE) adopted when rolling out the new approach:


  • Help teams plan for the road ahead

  • Make it feasible and scalable to support the team

  • Make progress visible and measurable to ensure data driven decisions 


Leveraging the DevSecOps manifesto, we implemented these guidelines::


  • Build security in rather than bolt it on

  • Rely on autonomous development teams rather than security specialists

  • Implement features securely rather than security features

  • Use tools as feedback for learning rather than end-of-phase stage gates          

  • Build on a culture change rather than policy enforcement

Rolling out the new InfoSec approach involved

Avoiding the use of external triggers to force a change

Reinforcing the value of ‘why’ rather than how to achieve maximum security

Nominating a person for action rather than waiting for someone’s voluntary participation

Allowing the data to tell the story

The next blog in this series delves deeper into each of the above steps that helped roll out the security consulting approach at Thoughtworks.

Disclaimer: The statements and opinions expressed in this article are those of the author(s) and do not necessarily reflect the positions of Thoughtworks.

Keep up to date with our latest insights