Developers who don’t want their code changed or nixed because it doesn’t meet certain security standards are missing the point, according to Jasmine Henry, JupiterOne’s field security director. “Security isn’t the ‘department of no’ in a culture where builders embrace security principles,” she says. “It allows everyone to collaborate faster and more effectively.”

To support this collaboration, JupiterOne publishes security policies as “run books,” or lists of procedures, on GitHub, where the company houses its code. The security team’s meeting minutes and security playbooks are also available on GitHub. Internal dashboards allow developers and executives alike to monitor key organizational security and DevSecOps metrics, including vulnerability management, risks, and secure code. And security engineers are embedded with product management and site reliability engineering teams, advising developers on vulnerabilities to be addressed through code. The result is a greater and more decentralized focus on security over the entire product lifecycle.

Even at a company that is already focused on cybersecurity, DevSecOps has to become a conscious practice. At JupiterOne, that includes company leaders who cheer on successful integrations between developers and security experts, cross-department KPIs and practices that support DevSecOps, and training for engineers who want to strengthen their security knowledge.

Henry says it’s leading to increased interest in security among engineers.

“I’m seeing a lot of interest in adopting better and deeper security training programs for engineering teams,” Henry says. “Every organization can accelerate a DevSecOps culture by investing in better security training for engineers, launching a security champions program, and ensuring that engineers who pursue extra security training are rewarded.”

They’re investments that promise to bolster security and the bottom line.