Skilling up at home? Here's your Free Trial
Careers

A Post-Pandemic Guide to Building Teams for Application Security

February 21, 2022

You don’t need me to tell you that the pandemic hasn’t exactly been a great time, both for companies and for the people working for them. Everything about the workplace has changed, and you’ve been in the line of fire for the past two years.

So I’m going to skip all that and get straight to the point: if you’re responsible for product development at your organisation, you can’t expect things to go back ‘to normal.’

The pace of change we’re seeing in tech today has forced us to take on a different view of roles and skills in the modern workplace, and where to prioritise effort and spending.

While this article focuses on application security and product development, I’ll be taking into account more general shifts in workforce planning and training requirements.

If you’re a team leader, an executive, or a product development head, this article will help you prepare your workforce for the challenges coming in 2022 and beyond.

The Great Resignation: What employees expect from organisations today

If you were paying attention to the economic trends of 2021 (and I wouldn’t blame you if you weren’t, it’s exhausting), you’d definitely have heard of the
Great Resignation.

After companies were forced to shift to remote work, large portions of their workforce started leaving their jobs, despite the market being more volatile than
ever.

The industries that saw the most disruption were those that saw the highest levels of demand in the pandemic: healthcare and tech. In 2021, 4.5% more
employees in tech
quit their jobs than the previous year.

The likely reason for this is that with increased demand (higher dependence on tech during lockdowns) came increased workloads, and eventually, burnout.

Looking to start a career in application security? We've got an updated 2022 guide for that, too!

The prevailing winds among tech employees urged them to seriously consider whether the jobs they were in were actually good enough, and if they weren’t, they could just find someplace better. Every employer was facing shortages, and experienced professionals were in a better position to bargain than ever.

The dynamic between employer and employee has changed, and it’s more important than ever for employers to not only make decisions that are positive for the business, but build a solid, co-dependent relationship with their workforce.

In other words, your employees aren’t resources, they’re people. If the last year has taught us anything, it’s that you should prioritise retaining in-house talent and investing in your employees more than ever before.

How to build strong teams and retain your workforce in 2022 and beyond

If the Great Resignation wasn’t a sign that things today are drastically different from two years ago, here’s some numbers for you: 80% of the workforce and 92% of managers said they “felt poorly prepared for the future.”

According to a Gartner survey, 70% say they “haven’t mastered the skills they need for the job they have today. Just one in five says they have the skills they need for both their current roles and future careers.”

These are alarming numbers by any standard, and a sign of how even large organisations are struggling to keep up with changing economic forces.

Here are some things you can start doing to build better relationships with your employees and nurture a resilient workforce in a post-pandemic world.

Focus less on roles and more on critical skills

The accelerated rate of change in the post-Covid tech industry has resulted in frequent disruptions to business, with companies scrambling to adapt. If you’ve hired someone for a specific role today, chances are your business requirement may change a few months from now, making that role obsolete.

According to Gartner, “40% of employees said they frequently completed responsibilities outside of their role.” It no longer makes sense to use roles as the primary metric to manage your workforce

What’s far more effective is to look at the critical skills your organisation needs to get a competitive advantage.

Let’s say you’re building a cloud-native application, and your team lacks skills in AWS security. It makes sense to hire cloud specialists today, but six months from now, your organisation decides to change their cloud provider to Azure and migrate their apps to Kubernetes.

Narrow your focus to what gives your organisation a strategic advantage instead of worrying about filling vacant roles.

Your expensive cloud security specialists are no better equipped to handle these new challenges than the rest of your team, and they’ve barely been onboarded.

If you instead train your employees in AWS security, it ends up being cheaper and faster. And when your company does pivot to Kubernetes, all you’d have to do is help them acquire new skills in Kubernetes security.

It’s crucial to identify skill gaps as soon as possible so you can invest in training your in-house talent and drive future success. This has the dual-benefit of making your employees feeling more valued.

When the ground is constantly shifting under your feet, narrow your focus to what gives your organisation a strategic advantage instead of worrying about filling vacant roles.

Enable horizontal mobility between disciplines

This point ties in closely with the last one. When it comes to career mobility, we tend to limit ourselves to a pretty narrow range of disciplines, where skill requirements largely stay the same and the only way forward is to climb the ladder.

But that fails to account for the full breadth of possibilities for mobility between disciplines in the workplace today. If business demands are changing faster than ever post-pandemic, your organisation needs to offer more flexible career paths for employees.

For example, if there’s a programmer on your team who’s keen to work on security, you can help her shift disciplines from development to application security. Developers not only know code, they have plenty of skills that can prove extremely useful to the security team.

Flexibility isn't just good for overall productivity, but for employee morale, too.

One of the best ways to make this horizontal mobility easier for your employees is to help them acquire the skills they need to make the jump. By training your programmer in AppSec, you can prepare her for her new role as a security engineer.

This sort of flexibility isn’t just good for overall productivity, but for employee morale, too. When you listen to and look out for your team members, they’re motivated to do more and stick around longer.

That’s a win-win, if you ask me.

Prioritise outputs over processes

Disruptions don’t just cause problems for organisations and their operations, they can create confusion for employees who are used to (or expected to) do things a certain way.

If your company is heavily-reliant on highly specific processes in its day-to-day operations, this could create unnecessary friction for you and your workforce.

Start focusing more on objectives and outcomes rather than processes. By giving your employees some flexibility in the way they carry out their tasks, you can increase productivity and reduce the strain between team members and management.

Having a fixed objective or end goal is also a good way to give your team clarity on what they’re trying to accomplish.

Having a fixed objective or end goal is also a good way to give your team clarity on what they’re trying to accomplish. Over time, your employees will learn to work smarter and optimise inefficient processes on their own, which they previously might have had to wait to get permission from higher up.

For example, if your team is required to perform security testing manually, let them automate parts of their process instead. This reduces the amount of man-hours spent on something automation scripts could have handled in a fraction of the time.

A secondary benefit to this is that employees with autonomy tend to be more engaged and fulfilled with their work, since their personal contributions are much more significant.

Consider a hybrid work model

One of the big fallouts of the Great Resignation was a wider appreciation for the benefits of working from home. Now that everyone was doing it, the idea didn’t seem so bad, after all.

I don’t mean to suggest remote work is a perfect replacement for the office, but a lot of people see real advantages to it. In fact, at AppSecEngineer we’re a completely remote-work company ourselves.

While plenty of people will be itching to get back to offices, there’s a significant portion of the workforce who want to stay remote. With a lot more companies today offering work-from-home, employees will view those offering flexible work options much more favourably.

Even if you’re not looking to go completely remote, you should definitely consider making your schedules flexible or even hybrid, especially for teams that already do most of their collaboration over online channels.

Want to build a better application security program? Here’s how.

Leaders frequently face the problem of getting their developers to take security seriously. Engineering teams tend to view application security as the sole responsibility of the security team, even though they’re the ones responsible for building and maintaining the application.

In recent years, however, organisations have found a solution that’s both organic and surprisingly uncomplicated: security champions.

Security champions take an active interest in application security, evangelising good security practices among their colleagues.

Security champions are members of the engineering team who take an active interest in application security. They can help you push security initiatives and awareness among your developers.

Besides their day-to-day responsibilities, champions evangelise good security practices among their colleagues. In recent years, this has proven to be one of the most effective ways to bridge the gap between security and DevOps.

For instance, a champion could be a developer with a keen interest in cryptography, or a DevOps engineer who understands cloud security automation. Once you identify such a person, you can nurture their interest in AppSec over time.

Here’s a few ways you can turn an engineering team into a true security champion.

Training

Train your champion(s) in key AppSec disciplines like DevSecOps, Threat Modeling, Cloud Security, etc. Hands-on training can help them develop their skills and get working experience at an accelerated pace.

Make resources available

Regularly provide them with resources they can use and share with the team. This includes OSS projects, interesting stories of exploits, and useful security Twitter accounts to follow.

Balance their workloads

Since a champion still has to fulfil their normal responsibilities as a member of the engineering team, you need to ensure they’re not being overloaded with work.

Embrace security automation

Developers tend to view mundane tasks as a friction point for adopting secure coding practices. If you give them the resources to automate the boring parts of AppSec, your engineering team will be less inclined to drag their feet on implementing key security features.

Create a community

If your organisation has multiple engineering teams, create a community of security champions where they can share resources and solutions, and help each other out.

The best thing about leveraging security champions is that others in your engineering team won’t see it as ‘yet another mandate from leadership.’ When it comes from within the team, your other employees will be far more receptive to efforts to standardise the quality of application security across your apps.

Aneesh Bhargav

Aneesh Bhargav

When Aneesh is not creating career-focused security content, he’s probably playing video games.