How Microsoft builds empathy between its security and development teams

Ongoing cross-training, threat information sharing, executive support and a strong threat modeling infrastructure helps the company's security and development staff work collaboratively.

How would you describe the relationship between your organization’s security and development teams? Chances are, you’d use words like “tense” or “distrustful.” That’s because the two groups often feel they are working at cross-purposes and getting in each other’s way. Security sees themselves working to fix vulnerabilities that developers create, while to developers security is a series of speed bumps that keep them from reaching their milestones on schedule.

That’s the crux of the problem. Why can’t there be one set of shared goals for both teams? Software giant Microsoft believes it has achieved a common purpose between its development and security operations, and that this shared purpose has resulted in better security for both its internal and commercial software and services.

Microsoft’s approach is simple and is based on good, consistent training and communication. Executing that approach is not so simple. It requires buy-in from both groups, ongoing training, effective communication and, importantly, a strong endorsement from executive management.

CSO recently spoke with Bret Arsenault, Microsoft’s CISO, and Bharat Shah, vice-president for security engineering in Microsoft’s cloud and AI division, about how the company’s developers and security professionals collaborate to build security into its tools and products.

Move to the cloud a driving factor    

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!