Every week, CEO Casey Cammilleri interviews an expert leading the charge on empowering security experts and practitioners with the knowledge and insights needed to excel in the future of cybersecurity.

We recently spoke with DK Koran, BISO at NerdWallet. Here are the top takeaways from the interview.

#1: Balance Developer Autonomy with Security Controls

“We give an insane amount of power to our developers to create their own infrastructure. We went with that — I don't know if you heard of single-threaded teams model that came out of Amazon, but the idea is you give autonomy to the individual. We'll call them verticals. And they are supposed to have complete control over their infrastructure and what they do. And so where we run into issues with what you're explaining is we have what we call a core engineering, which people can just use. And that's gone through all the reviews, it's gone through hardening, like all your classic infrastructure security type stuff, all your network hardening and stuff like that, but they're also allowed to do their own thing if they want.

“And so you're saying, ‘Oh, these problems come up over and over again.’ Well, we run into a situation that's the same, but different in the sense of they're doing their own thing. And now we need to figure out what's happening. What are they doing? Why is it here? What are they trying to accomplish? So we see more of that happening over and over again, rather than our entire web application, and deploying it, and putting the same hole in over and over again.”

Actionable Takeaway: Security teams should embrace developer autonomy while maintaining core security standards. By providing a hardened, well-reviewed infrastructure foundation alongside the freedom for teams to innovate, organizations can balance velocity with security. This approach requires security teams to stay adaptable and curious, constantly learning about new developer initiatives while providing guidance rather than rigid control.

#2: Lead with the “Why” in Security Decisions

“The thing that I think I've learned the most and the biggest challenge is, again, it's people, but it's a relationship. I think that I've run into security engineers who are like, ‘Security, security, security, only security, nothing else matters.’ They get really ingrained in that philosophy, and they forget that the people they're dealing with are also people, and they have their own roadmap and their own people to deal with.

“I'm bringing all of this up because it's one of the challenges I run into with a couple of my engineers because they still have that security, security, security mindset. And I'm like, ‘No, you have to have some empathy for the people that you're dealing with.’ And what I found, where I'm going with all of this is my biggest learning in the last year, I'll call it, is the ‘why.’ Why are we doing this? Why are we asking teams to do this? Why are we asking them to participate in security events?

“And once we start including the why in all of this stuff we're doing with details — teams were much more receptive to the things that we were wanting to do. Now, truth be told, I'm a little embarrassed to say that it took me 14 years to figure that out, but damn, I'm glad I did because it's really changed our relationship with our software developers because they're understanding the why. It's not just being forced down their throat, so to speak.”

Actionable Takeaway: Transform your security team's effectiveness by focusing on the reasoning behind security requirements. When teams understand the purpose behind security measures, they become partners rather than obstacles. This shift from dictating requirements to sharing context creates stronger relationships with development teams and leads to better security outcomes through collaborative problem-solving and shared understanding.

#3: Foster Growth-Oriented Security Leadership

“Not the no guys. I refuse my team to be the no guys. No, that's not allowed. Always ask questions. I think the past year has been big for me personally because I went from an IC role to now a manager role. So there's been a lot of growth for me there. And the challenges there, that I'm realizing from a security point of view, myself included in this, I feel like security engineers like to keep evolving and keep learning and always have new challenges.

“And I think as a manager of these folks now, it's finding those opportunities for them, whether it be through building new things or solving hard problems. And that has forced me to think differently, as even in a security hat of, ‘Okay, what is my next three steps so that I can keep my team moving forward? Growing, growing professionally, enhancing their skills, all of those things.’ That's been a personal thing that for me has been a challenge, but I'm really, really enjoying it. And I think I just love seeing it come to life and seeing them learn and achieve the things they want. An easy one that's tangible is, a couple of members of my team want the OSCP, like, big fancy certification. And just seeing their evolution of their skills as they're studying for this, that it applies to their personal growth as well as their professional growth.”

Actionable Takeaway: Successful security leadership requires moving beyond the traditional "security says no" mindset to create an environment of continuous learning and growth. By supporting team members' professional development goals, encouraging curiosity, and maintaining a question-oriented approach, leaders can build security teams that drive innovation while maintaining strong security standards.

Listen on Apple

Listen on Spotify

Watch on YouTube