The Book
Explore membership
S3M2Journey to AppSec Maturity
Resources
Resource LibraryAppSecConPodcastBlogState of AppSec 2023
Events
Upcoming Events
RSAC 2024
JTAM OWASP Global AppSec conferenceJTAM AWS ReInvent conference
Past Events
Mumbai ChapterAtlanta ChapterBengaluru ChapterNew Delhi ChapterNYC Chapter LaunchCyber SoireeWomen In SecurityDavos DialogueFirst LookSBOM
RSAC 2024
Cyber Future Dialogue 2024
JTAM Virtual Workshop - September
JTAM Roundtable - OWASP Global AppSec
Contact Us
The Book
Membership
S3M2
Journey to AppSec Maturity
Resources
Events
Contact Us

Breaking Organizational Silos

By 
Aruneesh Salhotra
,
and
March 24, 2023

You may wonder why we are talking about silos in context of AppSec, establishing and maturing the AppSec program. This is an extension to a talk presented at a conference where I shared and explained silo issues, how to recognize if silos exist and how breaking silos leads to improving security.

Silos

According to Wikipedia, 

A silo (from the Greek σιρός – siros, "pit for holding grain") is a structure for storing bulk materials. Silos are used in agriculture to store fermented feed known as silage, not to be confused with a grain bin, which is used to store grains. Silos are commonly used for bulk storage of grain, coal, cement, carbon black, woodchips, food products and sawdust.

A picture containing sky, outdoor, building, dayDescription automatically generated

"Security is everybody's responsibility. "

That’s correct. In today's interconnected world, where data breaches and cyber-attacks are becoming increasingly common, it's important for all employees to take responsibility for security. No matter you are IT Security Architect, SOC, Developer, Tester, Business Analysts, Business, IT Management, Risk and Control, Legal, HR …. you should be thinking about security. Almost every step of the way.

It's important for employees to be aware of potential security risks, follow security best practices, and report any suspicious activity. By working together, organizations can create a culture of security and protect against cyber threats.

A picture containing floor, indoor, ceiling, furnitureDescription automatically generated
TextDescription automatically generated with medium confidence

Why Silos existed?

Organizations traditionally had silos because they were structured into different departments or functional areas that operate independently of one another. Each department or functional area may have its own goals, objectives, processes, and culture, which can create barriers and lead to a lack of communication and collaboration between departments. This can cause information to become siloed within each department or functional area, preventing other parts of the organization from accessing it.

There are several reasons why organizations have silos:

  • Specialization: As organizations grow, they often require specialized skills and expertise, which can lead to the creation of specialized departments or functional areas. This specialization can lead to a narrow focus and a lack of understanding of the broader organizational context.
  • Control: Some organizations may create silos to maintain control over certain functions or information. This can lead to a lack of transparency and collaboration, as well as a tendency to protect departmental interests over the interests of the organization as a whole.
  • Culture: Organizational culture can also contribute to the development of silos. If the culture values competition over collaboration, or if there is a lack of trust or communication, silos can emerge as a natural consequence.

What are the impacts of silos?

Missing information among key stakeholders, missed deadlines due to coordination issues, and misunderstandings due to cultural differences are all evidence of silos. Cultural differences can be affected by differences in language, perspective, or lack of shared knowledge.

Unaddressed silos can lead to a variety of issues, including duplicated effort, inconsistent implementation, mismatches between departments, and even service disruption. Worse, they can leave security holes that result in breaches.

Overall, silos can be a barrier to organizational effectiveness and innovation. 

Here are a few signals that the silo mentality is creeping into an organization:

  • Mid-to-senior level stakeholders are unaware of major initiatives being undertaken by other departments or groups. 
  • Departments feel underprepared for hand-offs. 
  • Top-down communication is flowing freely, but bottom-up communication is limited or nonexistent. 

Breaking down these silos requires a concerted effort to foster collaboration, communication, and a shared vision across different departments and functional areas. This is especially crucial to consider with security efforts. Whether separated by functional lines, product areas, physical distance, or any other kind of barrier, it’s important to know how to get these groups on the same page.

Who is responsible for application security?

Even if your organization has a security department, it doesn’t mean that department is wholly responsible for all aspects of security. While Security department/division may define policy, create governance, and implement tools, application security is everyone’s job. When the Information Security department looks for opportunities to improve security, this will usually involve working with other teams such as application engineers, product managers, project managers, DBAs, software developers, compliance, infrastructure to improve their respective practices.

But how can organizations with such different mindsets come together under the same roof? One method is to consider a foundation.

A picture containing gear, metalware, chain, wheelDescription automatically generated

What are the key pillars of AppSec?

Imagine a temple of security built in classical Greek architecture with multiple columns holding up the roof, protecting the sacred ground from the elements. Your applications are like the sacred ground, while the roof represents your security program. These pillars are necessary to protect your applications from the outside elements, which are often extremely harsh.

Graphical user interface, applicationDescription automatically generated
Key pillars of an AppSec program

What are the areas of an AppSec program?

AppSec programs can be generally be separated into the following areas:

  • Adoption
  • Governance
  • Training
  • Tooling
  • Integration

Each of these concerns will touch on several groups within any sizable organization, as shown in the image below. This is where breaking down silos is of particular interest.

ShapeDescription automatically generated
Swim lane diagram for AppSec programs

For example, let’s look at training. A training program might involve several teams of application engineers, budgeting, and InfoSec, to name just a few. A security hackathon is one way to bring people from various silos together around learning while strengthening relationships between groups.

Strategies to bridge the gaps

The following strategies will help you break down silos and promote a collaborative cross-functional environment.

  • Help everyone understand the common vision and goals
  • Assign cross-functional liaisons
  • Encourage cross-functional training
  • Develop multi-functional teams for critical launches and initiatives
  • Take advantage of the IKEA effect: 

    The IKEA effect states that people who put creative effort into the beginning stages of a process will be more invested in it down the line. For that reason, it's helpful to get input from individuals across departments on every major project. That way, every team will have an emotional stake in the project, making them more likely to share resources to make it successful.
  • Build a cross-functional task force that champions new technologies
  • Setup cross-silo discussions that help employees see the world through the eyes of customers or colleagues in other parts of the company
  • Urge employees to explore distant networks

How can you bridge the gap?

There are several techniques that can be used to reduce these divisions. These techniques all amount to better communication, especially listening and empathy.

Some tactical strategies include:

  • Performing cross-functional training
  • Creating a clear vision
  • Coming together around common taxonomy and meaning
  • Bringing together representatives from various silos to share information
  • These efforts take good leadership. You can think of silos as tribes, as David Logan explained in his TED talk on tribal leadership. People naturally form tribes, which are groups of 20-100 people that share a subculture.
  • Good leaders introduce people from different tribes, thereby increasing the unity between tribes. If you’re looking for a model for breaking down silos, this might just do the trick.

How will you break down silos?

Silos may exist for natural reasons, but the walls of these silos aren’t invincible barriers. Viewing the walls as hard divisions can inhibit our ability to create good security around applications. Creating pathways of communication, creating a shared vision, and bringing people together around a mutual problem are all ways to break through these walls.

The benefits of opening the lines of communication can’t be ignored. Security is everyone’s job, and that shared responsibility exists whether or not we have silos.

A group of people with their arms raised in front of a sunsetDescription automatically generated with low confidence


Remember: Security talent is expensive and limited, so choose your investment wisely.

Disclaimer: Opinions are my own and not the views of any of my employers.

Aruneesh Salhotra
LinkedIn Logo
Global Head of Application Security, Nomura
LinkedIn Logo
LinkedIn Logo
Uniting security professionals on a mission to democratize software security and solve its ever-evolving challenges with the power of Community.
The Book
S3M2
Podcast
Blogs
Membership
Explore Membership
Resources
Contact Us
Powered By ArmorCode Inc.
Copyright © 2024. All rights reserved.
|
Privacy Policy
|
Terms & Conditions
The information contained in the Purple Book of Software Security and associated marketing material contains content expressed by Purple Book Community members. These opinions are their own, are not affiliated with the organizations that they belong to and have no commercial affiliation or any endorsement of any commercial products or services, including the community sponsors.