Security is Non-Essential
Yes. I said it. Why? Let me tell you why….
Let’s start with an example. Let’s take a dynamic product engineering team for a startup. This Product Engineering Team is creating a killer app that “sells widgets” (every technical book author’s favorite product) online. They have this super-slick SPA with React. They have written their API in NodeJS. They have a variety of other tech in their stack (the usual suspects like Kafka, Mongo, etc). Like all the cool kids, they use deploy on Containers, with Kubernetes. And they want to go fast. Really fast.
As they increase in “deploys per day” they realize that they need all or more of the following:
- A single touch automated CI process that “kicks the tires and lights the fires”, running all their tests, building their stack and deploying it into various environments. They have spent top $$ on cloud native, container-first CI tool that DELIVERS.
- A top-notch DevOps team that knows everything from AWS to GCP, with mad k8s sk33lz
- The latest and greatest in Dev Productivity tools
Missing something??? What about security?
Well, What about it??
Don’t you need?
- An automated set of tests that include security tests? “Don’t our annual pentests do that?”
- A way to organize and manage vulnerabilities? “Microsoft Excel works just fine. Besides, No budget!”
- A bigger security team? “Besides Dave and Maya? We don’t more security folks blocking stuff for us”
- Developer Security Training? “Our developers are the best. They know what they are doing, even security-wise”
- <Add anything else related to security here>
Let’s face it.
Security is Friction. It’s something telling you that you messed up. But one could argue “Aren’t functional bugs the same way? They’re friction too” Well. Not exactly. Functional bugs are seen by the user. Users get pissed off by functional bugs. But nearly no-one notices or even realizes that there’s a security bug. So, let sleeping dogs lie? (read: non-essential)
Security is Implicit. Wait…I thought you said it was non-essential. Yes, because it’s implicit. Project teams account for comprehensive validation of functional and performance parameters. That is “extra” in their book, because its not “already in there”. But for security, You’re goddamn right it should be in there by default. What else am I paying you for? Insecure systems?(read: non-essential-as-a-service)
Security is sunk-cost. I have been spending serious $$ on security every year. I haven’t seen a penny in return. You keep talking about some possible breach. I ain’t seen nothin’ like that yet. (read: non-essential by return on investment)