Defense in Depth
Who is Responsible for the Conflict Between Security and Developers?

We know there's tension between security teams and developers. But where does this tension start? Is the constant friction between developers and security teams a leadership problem disguised as a team problem?

Check out this post for the discussion that is the basis of our conversation on this week's episode, co-hosted by David Spark, the producer of CISO Series, and Steve Zalewski. Joining is their sponsored guest, Matt Brown, solutions architect, Endor Labs.

Listen to the full episode here.

The development disconnect 

Application security has long suffered from a fundamental structural flaw: security teams built the tools, policies, and expectations without ever involving the people who were expected to use them. James Jardine of DevelopSec put it plainly, noting that security created training programs without input from development. His proposed remedy is a "Development-First" view on application security, one that hands implementation to the engineers closest to the problem. Andrew Wilder, CSO at Vetcor, extended the critique, saying "AppSec is hard because we've spent a decade telling developers to 'think like hackers' when their job is to 'act like builders.'" The solution, he argued, isn't turning developers into security experts. It's making it difficult to even build an insecure tool.

Functionality first, security second 

Developers are optimized for shipping, not securing, and any AppSec strategy that ignores that reality is built on a flawed premise. "Developers don't develop for security; they develop for functionality," said Ezra Ortiz of Peraton. He cautioned that trying to address all problems at once is the wrong approach, and drew a sharp distinction between product thinking and security thinking: "Minimum viable product is fine for features. MVP is not fine for trust." Daniel Frye of BreachRx diagnosed the deeper friction, saying, "The brutal truth is that nobody wants to patch; it's overhead and drag on the work that both dev and security want to be, and are incentivized to be, doing." Shift-left, he argued, "doubles down on the drag for dev — kind of like how 2FA doubles down on the drag of user authentication." His prescription is to stop solving the problem and start removing it: "Rather than solve the problem, remove the root of the problem entirely" through automation and AI tools that measurably reduce the time AppSec consumes for both sides.

The incentive problem 

Without real economic consequences, application security will always be deprioritized. Greg Notch, CSO at Expel, located the root cause in incentives, saying, "Engineering organizations are funded, tasked, and measured on shipping features that deliver outcomes." Businesses, he added, have largely externalized security risk to customers through liability clauses, leaving "very little real downside risk — except in extreme black swan type situations." The extreme version of this logic, he said, is the rise of vibe coding: "Literally no one on the business side cares that it is introducing security issues if the marginal cost of software development drops precipitously and the shipping velocity increases at the same time." Andrew Livanos of Wiz pointed to a path forward: "Giving teams ownership of their part of the environment, with enough context to understand real risk, tends to change the dynamic."

Speed as the common ground 

Security and development share more common ground than the typical friction suggests, and velocity is where that alignment lives. Shawn Kahalewai Reilly of SAP reframed the problem, saying, "The requirements need to be met, but the implementation patterns we use commonly disrupt velocity. If you introduce disruptions to flow and speed, then you have an anti-pattern that will cause people to become upset." Starting from a velocity-first perspective, he argued, produces different objectives and different outcomes: "We don't just want to make things more secure, we want to make things more secure AND faster AND easier." The payoff? "When someone feels like you have made their life easier, and saved some pain, and made things faster, you get instant adoption, and this is the path to harmony."

Thanks to Maxwell Zhou of PolarStar Cybersecurity for being our unwitting contributor.

Please listen to the full episode on your favorite podcast app, or over on our blog, where you can read the full transcript. If you're not already subscribed to Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, Endor Labs

Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Super Cyber Friday
Join us every Friday in April for “Trust Month”

April is Trust Month on Super Cyber Friday, and we're kicking things off with a question about the most foundational kind of trust: the kind you build with your own team.

What has genuinely worked for you in building trust with your security team? Have you tried something that seemed right and ended up damaging the relationship? For practitioners: what has a security leader done that made you think, "This is someone worth following?"

Drop your thoughts in the comments here. The best responses will be featured in the newsletter and referenced live on the show.

>>> REGISTER for single episodes or the whole Super Cyber Friday series <<<

March AMA - "I've built diverse, high-performing security teams. Ask Me Anything about hiring, culture, and talent management in cybersecurity."

Our monthly AMA on r/cybersecurity on Reddit is still open! Our topic is "I've built diverse, high-performing security teams. Ask Me Anything about hiring, culture, and talent management in cybersecurity."

This month we're exploring the human side of security — how leaders recruit and retain top talent, build inclusive teams, and shape the cultures that make security organizations thrive. Whether you're a hiring manager, a job seeker, or just curious about what makes great security teams work, this is your chance to ask directly.

Please ask questions for our participants here.

This month's participants are:

• Joshua Scott, (u/threatrelic), CISO, Hydrolix

• David Cross, (u/MrPKI), CISO, Atlassian

• Shaun Marion, (u/MarshaunMan), vp, CSO, Xcel Energy

• Derek Fisher, (u/Electronic-Ad6523), Director of the Cyber Defense and Information Assurance Program, Temple University

• Caleb Sima, (u/CalebOverride), builder, WhiteRabbit

• Charles Blauner, (u/OG_CISO), operating partner, Crosspoint Capital

Thanks to all of our participants for contributing!

Live at BSidesSF: CISO Series Podcast Recording

On the eve of RSA Conference, CISO Series Podcast returns to BSidesSF for a live audience recording in San Francisco. David Spark will be joined on stage by Mike Johnson, CISO, Rivian, and Sara Madden, CISO, Convera. Immediately after the podcast recording we'll be hosting a CISO Series game show. Join us for that as well.

You can get all the information you need here. Tickets are available here.

Huge thanks to our sponsors, Nudge Security, QuilrAI, and Zenity

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Jonathan Waldrop, CISO, Acoustic, and Chris Ray, Field CTO, GigaOm. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cybersecurity Headlines sponsor, Adaptive Security

Cyber chatter from around the web...
Jump in on these conversations

"Anyone else feel like it's 1995 again with AI?" (More here)

"Insecure Copilot" (More here)

"DOGE member took Social Security data on a thumb drive, whistleblower alleges" (More here)

Coming up on Super Cyber Friday:

• [04-03-26] “Hacking Trust in Leadership”

• [04-10-26] “ Hacking Vendor Trust”

• [04-17-26] “Hacking AI Trust”

• [04-24-26] “Hacking Trust in Security”

Register for the Super Cyber Friday event series on Airmeet. You can register for all upcoming episodes in this ongoing event series. After you register, you can add events to your calendar right on our event series page.

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.