This is the third post of the five-part series of how SecDevOps gives organizations within companies the tools to accomplish their goals. This particular post will look at how a well-implemented SecDevOps program helps HR teams reach their goals.
HR functions as the backbone of all companies. They may seem the most removed from anything security related, however, they too are thwarted from reaching their goals by poor Application Security integration into the Development processes.
What does HR do?
HR is about more than just employee lifecycle events, payroll and the occasional company event. They are responsible for recruiting and retaining the lifeblood of the organization: the people. The team makes the company, and HR makes sure the company gets and keeps the team that they’ll win with. So they care about not only just being an employer of choice to make sure it is easy to attract that talent, but also keeping their employees productive on strategic work that will keep them happy. Without SecDevOps, HR teams can struggle to meet these goals with software development and security teams as poor deployment of AppSec can eat away at their goals.
What are the HR Team’s activities?
- Recruiting Candidates
- Hiring & Retaining Talent
- Training Employees
- Managing Benefits
Why these goals?
Companies need to retain talented employees who are productive to remain competitive.
How does SecDevOps help?
- Be the Employer of Choice
- Increase Employee Productivity
- Keep Employees Happy
Employer of Choice
Let’s start at the top of the funnel – recruiting. All employees in a company are recruited at some point, even if they are a referral. The companies with the best brand and reputation act as a talent magnet. HR departments need all the tools possible in their belt to become and remain that super magnet for talent. The more talent that they can attract, the more selective they can be in hiring the best employees.
Next part of the funnel is retaining talent. Once HR spends all that time, money, and effort recruiting and onboarding the employee, they need to make sure the employee stays for as long as possible. HR needs to keep their magnet strong! It is very costly to find replacements if an employee leaves. Recruiting, onboarding, and training all have very serious costs. Costs are even higher in more competitive markets such as engineering and product management, where turnover could cost 1.5-2.0x an employee’s salary. And when they can’t meet employee needs, there’s a high risk of turnover.
Development and security professionals are very similar in that if they’re constantly fixing things instead of tackling challenging problems, they will leave. Having talented engineers, who are hard to find and recruit, spend their days fixing a long list of security issues is a terrible waste of resources and a huge damage to employee morale. Similarly, this is a top reason security professionals quit after 18 months on the job – with a 0% unemployment rate in cybersecurity they know they can move to the next, more exciting job the moment their current one becomes tedious.
So where does SecDevOps come into play? HR needs to make sure the company implements a great SecDevOps program if it is going to recruit and retain the best employees. SecDevOps prevents that long laundry list of mundane and tedious security backlog because security issues and policies are planned and implemented in advance. They can then tell prospective candidates they’ll be working on impactful projects, not on backlogs. Highly sought-after engineers and security professionals won’t be bored out of their minds working the security backlog. They will want to stay and continue to work on those interesting and impactful projects that help move the company forward.
Lost employee productivity is one of the worst things HR has to deal with. Usually in these cases HR and the employer’s manager will discuss terminating the employee. But what if 100% of the engineering team or AppSec team isn’t productive? Are they going to terminate the entire team? Obviously not. They’re going to instead investigate and figure out the cause of lost productivity. In many cases, lost productivity is due to lack of good SecDevOps, where AppSec issues subtly erode their productivity. This means engineers are stuck wasting time working through the backlog of security issues or rebuilding because they didn’t meet security standards instead of creating a better product.
This is the next step in the funnel: increasing employee productivity. After HR spends time, money, and effort recruiting talented employees, they need to make sure they become productive employees. This means having good AppSec so that engineers and AppSec managers aren’t doing time consuming manual work that could have been prevented by a good SecDevOps process. Without a good SecDevOps process, security issues pile up since preventable measures weren’t in place. And the longer they take to get to, the harder these security issues are to fix. Engineers aren’t going to be productive if they’re needed to fix these issues that wouldn’t have occurred if a good SecDevOps process was implemented in the first place. SecDevOps can prevent security debt from building up by not only giving teams tools like security scanners, but also giving them information about complexity and severity to correctly prioritize their work. This is a much more agile and efficient process. SecDevOps gives HR the tools and process to provide employees with an environment that allows 100% of them to be super productive.
Now at the last step of the funnel is creating happy employees. Companies want happy employees because they are loyal, productive, and even refer new employees to the company. What better proof is there of a happy employee than referring their friend to the company?
HR departments in companies that have excellent SecDevOps simply have happier employees. Engineers are happy because they get to work on cool projects that make a real difference to their customers, rather than do security clean up. And security experts get their programs consistently implemented throughout the development process so they can focus on the strategic components of their job to continually improving and evolve the product’s application security. Great SecDevOps means no more dull household chores, but more importantly increased employee morale.
HR departments that want and get good SecDevOps naturally succeed in recruiting and retaining the happiest and most productive employees. They improve the company’s brand and reputation, and attrition concerns disappear.