Collaborating With a Cross-Functional Expert

Problem

At my previous job, my team, the product engineering team, was having some trouble cooperating with the security team. We had a lot of interaction with security, mostly concerning vulnerabilities that they’d discovered and new initiatives that we would be collaborating on for the company.

For our purposes, a thorough security review process was essential. The problem that we were experiencing was that there were multiple security engineers reporting their findings to us, and, each time we wanted to have another security review or risk assessment, a different person would be assigned from their end.

Our colleagues from security didn’t necessarily have equal amounts of context when it came to what our objectives entailed. All of the different feedback and suggestions from them were great, but it took a lot of time to bring every new person who became involved up to speed. There was a lot of back and forth and additional work.

Actions taken

We approached the other team and suggested: instead of one of many engineers from their side, assigning only one security expert as our official point of contact. We pledged to invest the time and energy into training them completely on my team and our processes, onboarding them and giving them the knowledge and the expertise needed to function fully in the role.

They would have the opportunity to bond with my team and to build relationships within the company from that perspective. In the long run, we would be able to reduce the back and forth and to have a more common understanding around security problems and our application restraints in order to conduct a more effective security review.

They thought that it would be a good idea. We got our security expert assigned to us. We were already in the process of onboarding a new product engineer, so they were able to go through the process together. We invited this person to all of our outings and social events. In one or two months, we were able to drastically change the way that we worked. We had a new initiative in front of us, and, with our new security expert, all of our security reviews have been really productive and smooth. Ad hoc vulnerability reporting was still done by multiple people as different engineers conducted different penetration tests, but we relied heavily on this one person who was able to provide that context to the security team and to be this kind
of bridge between us and them.

Lessons learned

• Assigning a specific security engineer to every single team became a company-wide policy after this experience. This unique solution was applied widely and to our advantage as a company.
• My team really enjoyed having somebody specific to talk to about the problems that they were having. We weren’t just throwing our problems over the wall anymore. We became more equipped to work together and to collaborate effectively.
• Both teams were able to acquire a more nuanced understanding of both the other side’s domain, as well as the domain that they already were experts in beforehand. They not only had access to more new information on a professional level; there was also this human-to-human interaction that allowed them to move past the distance of a distributed remote environment.