We have an uncomfortable truth in cybersecurity that we rarely admit in public: our strategies often actively hinder the businesses we are trying to protect. For years, security has operated as the "Department of No." We gatekeep releases, enforce cumbersome compliance checklists, and demand that developers fix vulnerabilities without understanding their immediate operational pressures.
I will candidly admit that earlier in my career, I was guilty of this. I bought shiny new tools that promised ultimate visibility, deployed them across engineering environments, and entirely ignored how they frustrated the developers' daily workflows. Predictably, adoption failed, shadow IT increased, and the business was no safer.
When security causes friction, engineering will route around it. If we want to genuinely secure modern infrastructure, we need to completely rethink our approach by adopting the principles of product management.
The Malady: A Lack of Operational Empathy The root cause of security slowing down engineering is a profound lack of operational empathy. We treat security as an isolated technical silo rather than an integrated business function.
Security audits are typically treated as toll gates at the end of the software development lifecycle. When a release is delayed because of a last-minute penetration test finding, the security team feels they have "saved the day," while the engineering team views them as an unpredictable obstacle preventing them from delivering business value. This adversarial dynamic is toxic and entirely counterproductive.
The Remedy: Security as a Product To fix this, security leaders must treat their internal engineering teams as their primary product customers. A good product manager does not build a feature in a vacuum and force users to adopt it. They research pain points, design for usability, and iterate based on feedback.
Here is how we put that into practice:
- Paved Roads OVER Toll Gates: Instead of auditing applications just before deployment, focus your energy on building "paved roads." Provide developers with pre-approved, secure-by-default libraries, CI/CD pipelines, and infrastructure-as-code templates. Make the secure way the easiest and fastest way to deploy. If they choose the paved road, they skip the toll gate.
- Decentralise Security Ownership (The Champions Model): Security cannot scale if it relies on a central bottleneck of security engineers to review every pull request. Embed "Security Champions" within the engineering squads. Give them the training and autonomy to make lower-tier risk decisions independently.
- Align Your Metrics with the Business: Stop measuring the success of your security programme by the number of "vulnerabilities blocked." A far more effective metric is "velocity secured." How quickly can engineering ship a new, secure feature? If your security tooling adds three days to a build pipeline, it is a failed product.
Ultimately, the goal of a security team is not to eliminate all risk. The goal is to allow the business to take intelligent, calculated risks quickly. When we apply a product management mindset and genuine empathy to our strategy, security stops being a speed bump and becomes a strategic enabler.
Recommended Reading
- Building Secure and Reliable Systems - O'Reilly / Google
- Accelerate: The Science of Lean Software and DevOps - Nicole Forsgren, Jez Humble, and Gene Kim. (Crucial reading for understanding engineering velocity).