In this world of automation, machine learning, neural networks, pipelines, low-code/no-code, and all the widgets and doodads that come with being a field dominated by tinkerers and builders, it’s important to not forget the human behind the keyboard. Humans get things done and understanding how that happens differentiates the good AppSec professionals from the Greats.

I deal with many challenges in my day-to-day as an application security expert. Many are technical, the result of technologies not growing and evolving at the same rate until like differing metals with different rates of thermal expansion, something breaks with a pop and something that used to be whole is now in pieces. But many more are human.

Humans are, despite what you may think or feel about the whole lot, essential to this interconnected world of modern marvels that are all just a few thumb taps away on your smart phone. Understanding how they work together to accomplish the impossible is far more important than understanding how that impossible was accomplished. The means to understanding that is culture.

Culture here isn’t talking about the fuzzy bits that form in old yogurt or keeping one’s pinky up while sipping tea from bone china, but instead it is how companies get stuff done. The way I think of culture is stolen from Lance Hayden, PhD (author of People Centric Security) and boils culture down to a shared set of beliefs, incentivized behaviors, and values within a community. When a security culture aligns with what’s expected things go well, but when a culture clashes with expectations then frustration and failure abound.

There are many reasons an appsec program can fail: lack of senior leadership support, lack of funding, a tool-based silver bullet thought process, or an inability to keep up with changes in software development styles. However, the sneakiest and most frustrating failures lie in cultural disconnects.

There’s 2 main axes on the culture spectrum in this simplified model. The vertical axis reflects centralized control vs decentralized control. At the top of the axis lie organizations where there is a strong central governing authority. Often there is a single appsec shop that writes the rules and a single policy that is enforced everywhere. Very little escapes the Big Brother who lives perched atop the vertical axis in our model. At the bottom lies decentralization or loose control. These have power delegated to the teams who execute according to pressures and drivers they face. Most security professionals view the bottom half of the axis as a no-man’s land of chaos and lawlessness, but most developers thrive in an area where they are free to pursue their requirements however best they see fit. Some of the most interesting security developments come from teams with the freedom to solve the security problem as best they can, as long as they are motivated to solve security problems.

The horizontal axis reflects focus, internal vs external focus. An internally focused organization is one that that writes its own requirements and business drivers, and works to achieve them. They have a product that they trust is the best in the market and strive to achieve that vision. The externally focused teams are primarily concerned with responding to market or regulator demands. A decentralized externally-focused team is most likely the small product engineering team that make their bonuses by making the customer happy, while a centralized externally-focused team keeps everyone happy by passing external audits.

Classically, I’ve considered the military to be the archetype of the centrally-controlled internally-focused quadrant and they respect processes. If you give an aircraft maintainer a checklist that’s signed by the SecAF, they’ll execute that checklist. Their decentralized internally-focused counterpart is the hospital where highly competent doctors and nurses are trusted to provide the best care they can to patients. The centrally-controlled externally-focused quadrant is dominated by banks who have to pass audits of all kinds. The decentralized externally focused quadrant in the bottom right tend to be engineering firms with distinct product lines or value propositions that they sell based on contracts with large buyers who have exacting standards.

Understanding what culture your business has is the first step in working with it, not against it. When getting started in security, the centrally controlled organizations tend to be more compliant and security professionals have an easier time there. All someone has to do in a bank and say “It’s for the audit” and teams will jump on board. In a process culture like the military, it only takes a good process or two and they’re working on security.

When dealing with decentralized trust (internally-focused) and autonomy (externally-focused) cultures, the trick is building something really good with early adopters, and then getting buy-in on an awesome process or tool. Once stakeholders understand how this new security widget or dance helps them deliver better patient care, or better products to buyers, they’ll be all-in. The downside is that it’s a constant battle to build faith in application security.

As always, metrics are the answer to messaging, but that’s another day. Build good metrics that tell good stories, and you’ll get to do good work.

There’s always more words to spend on a topic like this one, but I’ve hit my budget for now. Stay secure and never forget the humans.