Communication Patterns

Communication patterns existing in infosec teams and how to improve them

Author

Sam Benjamin Pragasam
March 05, 2025

From the Team Topologies concepts, it is important to deliver the maximum business outcome so that the business can be a differentiator in today’s market.

Conway's Law implies that the quality of a product or service is reflected in and linked to the working methods of the business that produces it. Hence, it is important to understand the security team’s communication patterns and team structure. Here, we will discuss communication patterns, examples of their application, and the importance of forming business-oriented teams.

The communication patterns observed in Team Topologies are:

  1. Collaboration mode

  2. X-as-a-Service mode

  3. Facilitating mode

Below are examples of how each mode applies to different security tasks.

Collaboration Mode

  1. Security reviews and feature sign-off

  2. Secure code review

X-as-a-Service Mode

  1. SAST

  2. SCA, container image scan

  3. CSPM (Does CSPM come under X-as-a-Service?)

  4. Secret scans

Facilitating Mode

  1. Security champions

  2. Security training

  3. Architecture reviews

There will be combinations of the above modes as we deliver value to customers or developers. For example, in a release, both Collaboration Mode and X-as-a-Service Mode work together. As we integrate more X-as-a-Service in VCS, the flow becomes faster.

Communication Patterns and Interaction

  1. Collaboration Mode with developers

  2. X-as-a-Service Mode with the platform/DevOps team to integrate security tools

  3. Facilitating Mode with engineering, enabling them to choose better security options and educating them

1. Reduce Collaboration Mode

Use Collaboration Mode only when necessary. It is required for:

  • Features that lack documentation

  • Understanding new features and APIs

  • Clarifying doubts and terms

What is not necessary?

  • Unnecessarily pinging developers without reading the documentation

  • Joining their sprint planning, which increases workload just to understand what’s going on

  • Scheduling meetings without adequate preparation

Avoid over-collaboration—prioritize flow over perfectionism. Do not wait until everything is tested before moving forward. If something is causing delays:

  • Split tasks within the team

  • Prioritize important items and defer less critical ones

2. Increase X-as-a-Service Mode

As security engineers, we must work with DevOps/SRE/Platform teams to integrate security tools. Key integrations include:

  • SCA, SAST, container image scans

  • Secrets scanning

  • IaC scans in the VCS

Collaboration is necessary for initial reviews and integrations, but the goal is to automate as much as possible.

3. Increase Facilitating Mode

Security teams should act as facilitators or enablers for platform and engineering teams. This can be done by:

  • Reviewing team documents asynchronously

  • Encouraging the organization to think about security

Key Implementation Strategies:

  • Establishing Security Champions

  • Conducting Security Training

Forming a Business-Oriented Team Rather Than an Activity-Oriented Team

A business-oriented team prioritizes what is crucial for the company rather than just performing security activities. Businesses can be:

  1. Companies with multiple product portfolios

  2. Startups with a single product portfolio

If a product generates more revenue, securing it becomes a higher priority. However, security priorities also depend on:

  • The product itself

  • Customer expectations

  • Regulatory requirements

In B2B businesses, RFPs and compliance are crucial for business success. The GRC team should ensure that RFPs are completed on time without disrupting POC/POV processes. Skilled security engineers are required to implement and maintain compliance governance effectively.

In the feature security review process, prioritize flow over perfectionism.

InfraSec Considerations in Deployment

If deployment is maintained by the SRE team, then having an InfraSec team makes sense because deployment is platformized. The InfoSec team should work closely with the DevOps team.

If deployment is maintained by developers, and DevOps only provides the platform but does not manage operations:

  • DevOps in enabling mode provides tools and infrastructure for deployment and rollout

  • Developers create and manage service accounts and vaults

In such cases, the InfraSec team will be involved in the deployment phase to review security measures. However, as team handoffs increase, so does the time required.

Instead of involving infrasec engineers in review, security should operate in facilitator mode with the DevOps team to secure the provided platform. X-as-a-Service should be combined with Collaboration Mode to review developer-created IaC configurations.

Reply

or to participate.