
At Netflix, we work hard to not control other teams. This means we are careful with our use of language. For example, “recommend” is preferred over “required”. While it may be counter-intuitive to some, we have found that this improves security overall by creating an environment where people want to partner with our security teams.
In many companies the security team inserts themselves into lots of business processes. This could mean requiring security approval before pushing code into production. Or it could mean requiring security signoff on foreign travel. All of these security requirements are gates that slow things down. These situations are how security teams start to be known as the team that blocks everything. Over time, people stop wanting to talk to these security teams, find ways to creatively avoid them, and the security stance of the business gets worse.
Freedom and responsibility also provides a backdrop for defining how Netflix’s product security teams interact with other teams. Each team is responsible for the security of what they create. And the security team is here to provide the context (i.e., relevant information) needed for these teams to make good decisions. This parallels how we think about other specialty areas as well. For example, everyone needs to think about the performance of their code to some extent. But when the performance considerations require a specialized expert, people can reach out to a member our our performance team for help.