Breaking Organizational Silos
You may wonder why we are talking about silos in context of AppSec, establishing and maturing the AppSec program. This is an extension to a talk presented at a conference where I shared and explained silo issues, how to recognize if silos exist and how breaking silos leads to improving security.
According to Wikipedia,
A silo (from the Greek σιρός – siros, "pit for holding grain") is a structure for storing bulk materials. Silos are used in agriculture to store fermented feed known as silage, not to be confused with a grain bin, which is used to store grains. Silos are commonly used for bulk storage of grain, coal, cement, carbon black, woodchips, food products and sawdust.
"Security is everybody's responsibility. "
That’s correct. In today's interconnected world, where data breaches and cyber-attacks are becoming increasingly common, it's important for all employees to take responsibility for security. No matter you are IT Security Architect, SOC, Developer, Tester, Business Analysts, Business, IT Management, Risk and Control, Legal, HR …. you should be thinking about security. Almost every step of the way.
It's important for employees to be aware of potential security risks, follow security best practices, and report any suspicious activity. By working together, organizations can create a culture of security and protect against cyber threats.
Why Silos existed?
Organizations traditionally had silos because they were structured into different departments or functional areas that operate independently of one another. Each department or functional area may have its own goals, objectives, processes, and culture, which can create barriers and lead to a lack of communication and collaboration between departments. This can cause information to become siloed within each department or functional area, preventing other parts of the organization from accessing it.
There are several reasons why organizations have silos:
- Specialization: As organizations grow, they often require specialized skills and expertise, which can lead to the creation of specialized departments or functional areas. This specialization can lead to a narrow focus and a lack of understanding of the broader organizational context.
- Control: Some organizations may create silos to maintain control over certain functions or information. This can lead to a lack of transparency and collaboration, as well as a tendency to protect departmental interests over the interests of the organization as a whole.
- Culture: Organizational culture can also contribute to the development of silos. If the culture values competition over collaboration, or if there is a lack of trust or communication, silos can emerge as a natural consequence.
What are the impacts of silos?
Missing information among key stakeholders, missed deadlines due to coordination issues, and misunderstandings due to cultural differences are all evidence of silos. Cultural differences can be affected by differences in language, perspective, or lack of shared knowledge.
Unaddressed silos can lead to a variety of issues, including duplicated effort, inconsistent implementation, mismatches between departments, and even service disruption. Worse, they can leave security holes that result in breaches.
Overall, silos can be a barrier to organizational effectiveness and innovation.
Here are a few signals that the silo mentality is creeping into an organization:
- Mid-to-senior level stakeholders are unaware of major initiatives being undertaken by other departments or groups.
- Departments feel underprepared for hand-offs.
- Top-down communication is flowing freely, but bottom-up communication is limited or nonexistent.
Breaking down these silos requires a concerted effort to foster collaboration, communication, and a shared vision across different departments and functional areas. This is especially crucial to consider with security efforts. Whether separated by functional lines, product areas, physical distance, or any other kind of barrier, it’s important to know how to get these groups on the same page.
Who is responsible for application security?
Even if your organization has a security department, it doesn’t mean that department is wholly responsible for all aspects of security. While Security department/division may define policy, create governance, and implement tools, application security is everyone’s job. When the Information Security department looks for opportunities to improve security, this will usually involve working with other teams such as application engineers, product managers, project managers, DBAs, software developers, compliance, infrastructure to improve their respective practices.
But how can organizations with such different mindsets come together under the same roof? One method is to consider a foundation.
What are the key pillars of AppSec?
Imagine a temple of security built in classical Greek architecture with multiple columns holding up the roof, protecting the sacred ground from the elements. Your applications are like the sacred ground, while the roof represents your security program. These pillars are necessary to protect your applications from the outside elements, which are often extremely harsh.
What are the areas of an AppSec program?
AppSec programs can be generally be separated into the following areas:
Each of these concerns will touch on several groups within any sizable organization, as shown in the image below. This is where breaking down silos is of particular interest.
For example, let’s look at training. A training program might involve several teams of application engineers, budgeting, and InfoSec, to name just a few. A security hackathon is one way to bring people from various silos together around learning while strengthening relationships between groups.
Strategies to bridge the gaps
The following strategies will help you break down silos and promote a collaborative cross-functional environment.
- Help everyone understand the common vision and goals
- Assign cross-functional liaisons
- Encourage cross-functional training
- Develop multi-functional teams for critical launches and initiatives
- Take advantage of the IKEA effect:
The IKEA effect states that people who put creative effort into the beginning stages of a process will be more invested in it down the line. For that reason, it's helpful to get input from individuals across departments on every major project. That way, every team will have an emotional stake in the project, making them more likely to share resources to make it successful.
- Build a cross-functional task force that champions new technologies
- Setup cross-silo discussions that help employees see the world through the eyes of customers or colleagues in other parts of the company
- Urge employees to explore distant networks
How can you bridge the gap?
There are several techniques that can be used to reduce these divisions. These techniques all amount to better communication, especially listening and empathy.
Some tactical strategies include:
- Performing cross-functional training
- Creating a clear vision
- Coming together around common taxonomy and meaning
- Bringing together representatives from various silos to share information
- These efforts take good leadership. You can think of silos as tribes, as David Logan explained in his TED talk on tribal leadership. People naturally form tribes, which are groups of 20-100 people that share a subculture.
- Good leaders introduce people from different tribes, thereby increasing the unity between tribes. If you’re looking for a model for breaking down silos, this might just do the trick.
How will you break down silos?
Silos may exist for natural reasons, but the walls of these silos aren’t invincible barriers. Viewing the walls as hard divisions can inhibit our ability to create good security around applications. Creating pathways of communication, creating a shared vision, and bringing people together around a mutual problem are all ways to break through these walls.
The benefits of opening the lines of communication can’t be ignored. Security is everyone’s job, and that shared responsibility exists whether or not we have silos.
Remember: Security talent is expensive and limited, so choose your investment wisely.
Disclaimer: Opinions are my own and not the views of any of my employers.