Having only security operations is ok

You just have to understand the limitations, and security problems won't be fixed as quickly.

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

Photo by Israel Andrade on Unsplash

Traditionally, cybersecurity has been an operations-focused discipline because it was part of IT. However, with the rise of the cloud, much of the infrastructure responsibilities have shifted from IT to engineering, but in many companies, including many tech ones, security is still focused on operations rather than engineering. In fact, even companies with dedicated DevOps teams don’t even have a dedicated engineering team for security. Although I believe that every tech company should have an engineering team focused on security, it’s not necessary or even possible — hiring engineers, especially ones that specialize in security, is difficult and tricky.

What’s an operations-focused security team?

Most “traditional” security teams are operations-focused, and that’s how the industry started. What does that mean? These teams are focused on auditing systems and uncovering risks. Although there are tools that help with this, scaling an organization like this requires adding more employees. This is in contrast to most engineering-focused organizations where you can scale engineering processes through building platforms.

It’s no surprise that security organizations started this way because most of the compliance work is a form of auditing. For example, SOC2 is a type of security audit that started as a form of financial control that morphed into a security requirement. As a result, many companies have molded their security responsibilities around key compliance requirements.