Insights » From blockers to enablers: rethinking the role of security in delivery

R01 OXD Insight From Blockers To Enablers Hero V00 KB

Technology Solutions

From blockers to enablers: rethinking the role of security in delivery

Security says no. Delivery says hurry up. Meanwhile, releases stall, frustration builds, and both teams feel like they’re losing. Our Director of Software Development, Steve Ly, says there’s a better way to work together—and it starts with changing how we think about security’s role.
Share
FacebookLinkedInEmailCopy Link

In 2024 alone, 44 per cent of Canadian organizations reported a cyber attack. Yet another, quieter cost goes largely unreported: the organizational gridlock that emerges when security and delivery teams struggle to align. We see it across sectors—the security team raises legitimate concerns about a new feature launch, the delivery team pushes back about timelines, and progress stalls. What could have been a few weeks of development stretches into months. Meetings multiply, frustration builds, and both teams walk away feeling unheard.

20 Canadian government networks had been breached in the past four years by foreign agents.

This tension isn’t new, but it’s become more critical. Cybersecurity incidents are no longer rare disruptions: they are regular occurrences with serious consequences for both operations and reputation. Ransomware shut down multiple London Drug stores—a Canadian retailer—exposing thousands of customer records. News emerged that at least 20 Canadian government networks had been breached in the past four years by foreign agents. For many of us leading security or delivery, the message is clear: incidents are costly, disruptive, and increasingly unavoidable.

We see organizations respond by prioritizing security above all else. Security leaders are given authority and mandate to protect sensitive information and safeguard reputation. Yet this necessary shift often creates tension. Delivery leads, responsible for designing and launching new solutions, are measured on speed, service continuity, and customer satisfaction. When priorities diverge, conflict emerges.

In government, the stakes are even higher. When breaches occur, it’s not just IT that faces scrutiny—ministers have to defend budget requests and program leads need to explain why service delivery has been disrupted. The organizational cost extends far beyond the technical: failed security becomes an audit finding, a question period issue, and a public trust problem.

The challenge is not choosing one side over the other. It’s finding ways for both to work together toward shared goals.

What each side needs

Before solutions can be found, it helps to pause and recognize what each side is actually trying to accomplish. The daily pressures facing security leaders and delivery leads are real, and often conflicting.

Security leaders focus on protection and stewardship:

  • Reducing organizational risk
  • Ensuring regulatory compliance
  • Maintaining consistent security controls
  • Avoiding incidents that damage reputation
  • Passing compliance audits

Delivery leads focus on momentum and value creation:

  • Shipping features quickly
  • Responding to user needs
  • Maintaining service continuity
  • Satisfying customers
  • Driving innovation

Understanding these pressures on both sides is the first step to building a healthier relationship. Neither set of priorities is wrong. Both are essential for organizational success. The conflict is structural, not personal.

Warning signs of dysfunction

Here are some red flags that indicate security-delivery collaboration has broken down:

  • Release cycles stretching from weeks to months due to security roadblocks
  • Shadow IT emerging as teams route around security processes
  • Security reviews happening at the last minute, creating expensive delays
  • Blame games after incidents, rather than collaborative post-mortems
  • Duplicate tools and processes as teams work around each other
  • High staff turnover in either security or delivery teams due to frustration

Sound familiar? It’s time to reset the relationship. These symptoms point to a fundamental misalignment. The question is: how do you fix a relationship that’s been adversarial for years? The answer starts with a mindset shift.

Shifting from blockers to enablers

Communication and culture are at the heart of the shift. Security cannot simply be the team that says “no.” To keep pace with digital transformation, security needs to evolve into a business enabler. This means reframing security as an integral part of how solutions are built and maintained rather than an afterthought or obstacle.

Secure by design gives this cultural shift a clear principle to rally around. The idea is to ship products that are safe by default, with:

  • Least-privilege access built in
  • Clear ownership for vulnerabilities
  • Security controls embedded directly in the engineering workflow
  • Threat modeling integrated into design sessions

DevSecOps provides a practical way to put secure by design into action. Embedding security into development and operations makes it part of the daily workflow instead of a gate at the end. This approach reinforces the cultural shift while providing the tools and practices needed to deliver securely and efficiently.

What does this look like in practice?

Cultural change takes time, but teams need practical steps to start improving collaboration immediately. Here are the approaches we’ve seen work best:

Communicate and align expectations

Breakdowns between security and delivery often stem from a lack of shared understanding. The antidote is deliberate, transparent communication.

What works:

  • Joint planning sessions where both teams contribute to sprint planning and roadmap discussions
  • Shared documentation that explains security policies with business context
  • Regular check-ins beyond formal reviews—quick Slack conversations that prevent small issues from becoming blockers
  • Cross-team shadowing where delivery team members sit in on security reviews and vice versa
R00 OXD Insight From Blockers To Enablers Asset 1 Communication V02 KB

Here’s what collaboration looks like in practice: One client with a new security team worked closely with us to deliver a solution while staying within the constraints they set out. They were involved in all aspects of the delivery phase, from planning and design through implementation and deployment. The result was a collaborative process that balanced speed and protection, ultimately delivering a finished solution that met all requirements on time and within budget. This project has since served as their internal model for successful security-delivery collaboration.

Embed security early

Security is most effective when it becomes part of the development lifecycle from the beginning. This “shift left” approach avoids late-stage roadblocks that derail releases.

Practical implementation:

  • Automated security scanning in CI/CD pipelines (SAST, DAST, dependency scanning)
  • Secrets detection that prevents credentials from reaching repositories
  • Infrastructure as Code with security policies baked into templates
  • Security champions within delivery teams who understand both domains
R00 OXD Insight From Blockers To Enablers Asset 2 Embed Security V02 KB

Zero Trust principles strengthen this approach by providing a clear framework. Verifying explicitly, assuming breach, and enforcing least privilege complement shift-left practices perfectly. For a deeper look at why Zero Trust matters, see our earlier article on the topic.

Build trust and relationships

Formal processes matter, but informal connections are just as important. Security and delivery should know each other as colleagues, not only as names in a ticketing system.

Relationship-building strategies:

  • Shared communication channels for quick questions and updates
  • Cross-functional coffee chats and lunch-and-learns
  • Joint incident response where both teams participate in post-mortems
  • Shared success metrics that align both teams toward common goals
R00 OXD Insight From Blockers To Enablers Asset 3 Colleagues V02 KB

Security and delivery should know each other as colleagues, not only as names in a ticketing system.

The contrast with another organization is stark. While there was communication between security and delivery teams, there was little understanding on either side about policy context or business needs. Security remained unbending in their requirements, while delivery grew increasingly frustrated with the process. Rather than collaboration, the workflow consisted of large security scans being conducted and results thrown back to the delivery team to remediate without guidance or context. Releases happen only once or twice a year, frustrating both staff and users. This shows how security can either enable progress when engaged collaboratively, or stifle it when reduced to a compliance checkbox. 

Share accountability

Security cannot rest solely on one team. Shared accountability spreads responsibility across the organization while empowering teams to make secure decisions independently.

Implementation approaches:

  • Security training integrated into developer onboarding
  • Shared dashboards showing security metrics alongside delivery metrics
  • Cross-functional KPIs that measure collaborative success
  • Automation that reduces manual security review burden
  • Clear escalation paths for when teams need expert security guidance
R00 OXD Insight From Blockers To Enablers Asset 4 Shared Dashboard V02 KB

Getting started

Ready to improve security-delivery collaboration in your organization? Here are four implementation tips to set yourself up for success:

  1. Start small and build momentum: Pick one practice from the list above and implement it consistently for a month before adding more. Success breeds success.
  2. Get executive alignment: Ensure leadership from both security and delivery are committed to the change. Without top-down support, initiatives often stall when the first conflict arises.
  3. Focus on relationship-building over process: Tools and frameworks matter, but informal connections and mutual understanding drive lasting change. Invest in the human side first.
  4. Measure what matters: Track collaborative behaviours (like joint planning sessions held, cross-team conversations, shared decision-making) rather than just final outcomes. These activities predict success and give you early signals about what’s working.

The mindset shift

Security and delivery will always have different mandates, but they do not need to work at cross purposes. By embedding security into delivery processes, fostering open communication, and building trust, organizations can replace tension with partnership.

The goal is not for delivery to get its way, nor for security to dominate. The goal is to enable the organization to innovate securely, delivering solutions that are both resilient and user-centered.

For security leaders, this shift reduces compliance risk, prevents reputational damage, and makes their teams allies rather than obstacles. For delivery leads, it clears the path for faster releases, better user experiences, and sustainable innovation.

Organizations that successfully bridge this divide don’t just reduce friction—they gain competitive advantage. They ship faster, with fewer security incidents, while building the trust and resilience their users depend on. In an environment where 44% of Canadian organizations face cyber attacks annually, that’s not a nice-to-have. It’s survival.

You might also like