The best way to improve security is to speed up
The cybersecurity discourse tends to be adversarial, but more often than I’d wish, I see the most animosity coming between security engineers and developers – not between technical teams and attackers.
When you look at current tools and practices, such as manipulative phishing tests, forced reboots to install patches, and draconian access procedures, you can start to see why. The animosity is baked in.
There’s a reasonable justification, of course: All these practices protect companies (at least in theory) against very real threats. But even if developers agree with these security efforts on a broad level, they rarely agree at any given moment – "Of course, we should keep our devices patched” vs. "No, I’m in flow right now and can’t reboot my machine” or "Of course, no one should have access to everything" vs. "I need AWS access now on the off-chance I need access tomorrow."
We’ve assumed, developers and security engineers alike, that security slows down or delays the “real work.” Downstream of this assumption are some unsurprising results: Developers who resent security engineers; security engineers frustrated by developers; and companies that push security and productivity but achieve neither.
