.webp)
The Problem
Tale as old as time: the friction between building out new features and the foundations necessary to deliver those features. By foundations, I’m referring to things such as but not limited to: security, testing, Continuous Integration/Continuous Delivery, observability, and Infrastructure as Code.
Recently I attended AWS re:Inforce, an AWS security focused conference. Speaking with fellow attendees it was very common for people ask some variant of “how can I get people in my organization to care about security?”
Disclaimer that I do not consider myself a security person™️, but I do champion security initiatives often. Security is everyone’s responsibility. Sometimes in the real world people get excited about new features and forget about less visible things such as security.
Here are some of my thoughts in the form of unsolicited advice on how I attempt to navigate this.
1. Just Do It
If you work in an organization that gives you the freedom to allocate your time to projects beyond what is officially committed to in the sprint, just do it. Then once it’s finished, you can share with your team what you did, how it works, and why it’s important.
It is often faster to just do it rather than spend the same amount of time asking for permission. Especially at smaller early stage startups, delivering results speak louder than words.
2. View Yourself as an Enabler
Security is often (and mistakenly) seen as an obstacle to rapid feature development. I suggest reframing the conversation to highlight how security actually empowers the team to deliver features more quickly.
Many security measures may not seem urgent now, but by the time they are, it’s often too late. Focus on communicating the value of being proactive instead of reactive.
3. Learn Incentives
Incentives influence our perspectives and priorities. Invest time in understanding key stakeholders, especially decision-makers, to learn what drives them and what matters most to them.
This understanding will help you frame your arguments more effectively when proposing needs that don’t have the allure of a shiny new feature.
Bonus: Get Involved in the Community
As tech professionals, it’s easy to find ourselves working in silos within our organizations. But the more I connect with colleagues outside of my current company, the more I discover that the challenges I’m facing have often already been solved by someone else.
Why reinvent the wheel when we can learn from each other’s experiences - and share our own insights to help others grow? Engage in conversations, exchange ideas, and don’t hesitate to ask questions, even if they seem basic. Often, those “simple” questions lead to the most valuable discussions and solutions.
In person conferences aren’t your thing? Shameless plug to check out the Believe in Serverless Community on Discord!
Closing
Ultimately, trust is the foundation of successful software. When it’s present, it’s invisible; when it’s missing, it becomes impossible to ignore. Once broken, trust is incredibly difficult to rebuild—especially for early-stage startups still working to establish their reputation. If users can’t trust your product, they won’t use it.
I’m not claiming to have all the answers when it comes to security, but I hope sharing these thoughts sparks reflection or helps someone else feel less alone in facing these challenges. Your efforts to prioritize security truly matter, even when they go unseen. Keep pushing forward and championing the importance of strong foundations.
I’d love to hear from you: What strategies or insights have helped you balance the tension between shipping new features and building secure, reliable products?