Bridging the Security and Engineering Divide in Identity Management

Organizations across sectors are likely aware of the existing divide between engineering and security teams. When it comes to identity management this divide can be very pronounced. This often stems from the differing priorities and operational mindsets of these two teams. Engineering teams are driven by the need to innovate and deliver new features rapidly, prioritizing speed and functionality to meet tight deadlines and business demands. They thrive in a fast-paced, agile environment where experimentation and iteration are encouraged. Conversely, security teams focus on minimizing risks and safeguarding systems and data, emphasizing the importance of stringent controls and policies to protect the organization from threats. This article explores the cultural and goal-related differences between these teams, the impact on identity management, and strategies to bridge the divide, highlighting the necessity of aligning these departments for the success and of forward-looking organizations.

Recommended CyberTech Insights: Avoid These 3 Costly Mistakes in Database & Cloud Management

Engineering Team Incentives

Engineering teams are primarily motivated by the desire to build and deploy new features quickly. Their goals are centered around delivering value to customers and stakeholders through rapid development cycles and continuous improvement. Engineers often take calculated risks to push the boundaries of what’s possible, experimenting with new technologies and approaches to enhance system performance and user experience. This drive for innovation can sometimes lead to friction with security teams, particularly when working in cloud environments.

Additionally, engineers may feel pressured to meet tight deadlines, which can result in prioritizing functionality over security. The rapid pace of development often increases the number of standing privileges and identity complications. At its worst, this can bypass established security protocols without security being aware or having the tools to revoke access.

Security Team Incentives

On the other hand, security teams are fundamentally focused on minimizing risk and ensuring the integrity, confidentiality, and availability of systems and data. Their primary goal is to protect the organization from threats, which often requires implementing stringent controls and policies. In identity management, this means ensuring that authentication and authorization processes are secure, preventing unauthorized access, and protecting sensitive user data. Additionally, Security teams are tasked with identifying potential threats, conducting thorough risk assessments, and enforcing compliance with regulatory standards.

This cautious approach, while essential for safeguarding the organization, can sometimes be perceived as a hindrance to the fast-paced, iterative nature of engineering work. Security measures, such as multi-factor authentication, strict access controls, and regular security audits, are critical for preventing breaches but can introduce delays and additional steps in the development process. This dynamic often leads to tension between the two teams, as engineers may feel that security protocols slow down their progress, while security professionals view rapid development as a potential source of threats.

Bridging this divide requires a balanced approach that integrates security seamlessly into the development lifecycle without compromising speed and innovation.

Bridging the Cultural Divide

To align the incentives of engineering and security teams, organizations can adopt several cultural strategies:

Promote a Shared Vision: Leadership should emphasize that both teams are working towards the same overarching goal: the success and security of the organization. Security should not see themselves as roadblocks but rather enable engineers and adopt strategies that allow them to move at the quick pace that they need to. By promoting a shared vision, teams can work together more effectively.
Foster Mutual Understanding and Respect: Encourage both teams to understand and respect each other’s goals and challenges. Regular cross-functional meetings and joint planning sessions can help build a shared understanding and foster collaboration. These interactions should include open discussions about the constraints and pressures each team faces, allowing members to appreciate the complexities of each other’s roles.
Recognize and Reward Collaboration: Acknowledge and reward efforts that demonstrate successful collaboration between security and engineering teams. This can motivate teams to work together and find innovative solutions that balance speed and security.

Recommended CyberTech Insights: Beyond the Bottom Line: How CFOs are Fueling Innovation and Growth

Bridging the Tech Divide

In addition to cultural strategies, organizations can leverage technology to bridge the divide between security and engineering teams:

Automation: When it comes to identity management, manual access provisioning can be one of the most common frustrations that engineers encounter. Working on short timetables, delayed access to vital materials can significantly push completion back. This can snowball the more team members are impacted. This can become even worse in distributed workforces where team members may have to wait for others in separate time zones to come online to grant access. As such, automation is crucial for organizations to implement as broadly as security can permit to accomplish smooth operations.
Just-in-Time (JIT) and Just-Enough Access (JEA): Similarly, adopting JIT and JEA solutions can provide engineers with the access they need, when they need it, without granting standing privileges. This minimizes the attack surface and reduces risk while allowing engineers to move quickly. By implementing these access control mechanisms, organizations can ensure that engineers have the necessary permissions to perform their tasks efficiently while also maintaining strict security controls to prevent unauthorized access and potential breaches.
DevSecOps: Integrating security into the DevOps pipeline ensures that security is continuously monitored and addressed throughout the development process. This approach allows engineers to focus on building new features without being slowed down by manual security reviews. DevSecOps promotes a culture of shared responsibility for security, where both security and engineering teams collaborate to embed security practices into every stage of the software development lifecycle.

The divide between security and engineering teams is a significant challenge in identity management, but it is not insurmountable. By fostering a culture of mutual understanding and collaboration and leveraging technology to streamline security processes, organizations can align the incentives of both teams. This alignment is essential for forward-looking organizations that want to innovate quickly while maintaining robust security measures. By repositioning security teams as enablers for engineering, organizations can create a more cohesive and effective approach to identity management.

Recommended CyberTech Insights: Beyond the Bottom Line: How CFOs are Fueling Innovation and Growth

To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com

Tags: Apono, DevSecOps, identity management, security, security practices

Rom Carmel

Rom Carmel is the CEO and Co-Founder of Apono, the global leader in privileged access for the cloud. His cybersecurity journey began with an early role in the Israeli Intelligence Corps, where I served as a Security R&D Course Instructor and later as a Security Software Engineer for the Israel Defense Forces (IDF). Following his time in the IDF, he joined the Cyber Division at the Israel Prime Minister’s Office, where he held various roles, including Security Researcher, Security R&D Team Lead, and Security R&D Course Director. He also previously worked at the FedTech Startup Studio where he collaborated with Oakridge National Lab to commercialize technology through the Tech Transfer Office. Carmel attended Tel Aviv University.