First, “we take a working backwards approach to product development. This means that we start by understanding our customers’ needs and build our products around them. From design time forward, our security and product teams work together to ensure our products meet our customers’ expectations for security.” 

The next step is to sit with the scientists and brainstorm their priorities to figure out who does which part of the protection. “Part of our mantra is that we bring in security specialists early in this process, so that they are part of the design and product teams and are very much collaborative partners, instead of addressing security later on in the development process,” Herzog tells CSO. 

This last point is sadly all too typical for many other companies because it puts security at odds with product development. “This means a security review is doing code scanning to find and fix stuff at the last minute,” she said. “Instead, we do scans throughout the coding lifecycle. While it is harder to do this, it provides a positive feedback loop and produces better and faster results and has the added benefit of having the security team feeling part of the development process as just another builder,” rather than some control point that could set up a more adversarial position. “Our goal is to engage early and often with the product team.” Call it the Chicago voting style of security management.