Conway’s Law: The Flawed Legacy of CSPM & Why "Shift Left" Isn't Enough for True Cybersecurity Transformation
The Illusion of a Cybersecurity System: How Traditional AppSec, CSPM & "Shift Left" Apply Traditional Cybersecurity Thinking to Modern Problems, Resulting in Flawed Solutions
Conway's Law tells us that the systems we create are a direct reflection of our organizational culture. Traditional approaches to Application Security (AppSec) and CSPM (Cloud Security Posture Management) are perfect examples of this—they apply traditional cybersecurity thinking to modern problems, resulting in flawed solutions. These platforms are rooted in vulnerability-centric designs that fail to address the core challenges of modern product development. By building on outdated models, they perpetuate the same issues they were meant to solve.
Even in Gene Kim's The Phoenix Project, he illustrates how organizations often create the same problems they intend to solve by failing to address the root causes. Just as in the book, where IT and development teams struggled due to misaligned priorities and siloed operations, cybersecurity today faces similar challenges. Traditional AppSec and CSPM solutions reinforce these silos, focusing on vulnerabilities and tool integration rather than fostering a collaborative, product-centric culture. This perpetuates the cycle of inefficiency and risk.
The Limits of Traditional AppSec & CSPM Approaches: The Pitfalls of Vulnerability-Centric Solutions
As we examine the landscape of modern cybersecurity, it's clear that many CSPM solutions, while well-intentioned, were born out of cultures that focus narrowly on vulnerabilities. This vulnerability-centric design is deeply rooted in the very organizational structures that created the security problems they seek to solve. Take Wiz, for example—a CSPM platform developed by founders who came from Microsoft. While Wiz and similar platforms have made significant strides, they remain fundamentally flawed by design, addressing security from a siloed, fragmented perspective.
CSPMs like Wiz are starting to shift left, integrating security earlier in the development lifecycle. However, this shift often results in creating new silos within their platforms, perpetuating a tool-centric mindset that fails to fully achieve the goals of DevSecOps. Rather than rethinking the system as a whole, these approaches act as “enablers” in the negative sense—allowing companies to continue stacking tools into a Frankenstack, rather than encouraging a holistic reimagining of how cybersecurity should align with modern product development.
CSPMs & Conway’s Law in Action: The Missed Opportunity By Building Silos in One Platform
Conway's Law suggests that the way an organization is structured will dictate the design of the systems it produces. In the context of cybersecurity, this means that a fragmented, tool-centric organizational culture will inevitably lead to fragmented, tool-centric security solutions. The missed opportunity here is profound: rather than leveraging platforms to drive real, transformative change, companies are using them to maintain the very systems that are causing their security headaches.
The true solution lies not in enabling more tools but in reimagining the entire cybersecurity system. It’s about creating an approach that aligns with modern product development, focusing on a program-centric, people-focused model that addresses the core issues of organizational design, cultural change, and people empowerment. Interestingly, [five (5) years after Wiz's founding], Microsoft itself has acknowledged the need for such an approach, restructuring its security governance to align deputy CPSOs with product teams, engaging engineering more deeply, and changing incentivization structures. This move highlights the necessity of addressing foundational issues rather than relying on superficial fixes.
In contrast, the principles of DevOps, as highlighted in The Phoenix Project, emphasize the importance of high-performing teams working in unison to deliver high-quality software. Security should be an integral part of this process, not an isolated function. A true product-centric DevSecOps approach aligns risk management with the actual product teams, ensuring that every team member is engaged in the security process from start to finish.
The Consequences of Flawed Security Approaches: Lessons from SolarWinds and Beyond
The urgency for this systemic shift becomes even clearer when we consider recent high-profile breaches that have shaken the cybersecurity landscape. The SolarWinds breach, which compromised numerous government agencies and private companies, exposed critical flaws in our approach to software supply chain security. This incident wasn't isolated; similar breaches, including those at companies like Codecov, GitHub, and CircleCI, have underscored the vulnerabilities inherent in CI/CD pipelines and the broader software development lifecycle.
These breaches are symptomatic of deeper issues within the cybersecurity system—issues that can’t be solved by simply shifting left or adding more tools. They demand a comprehensive rethinking of how we approach security from the ground up. The President's Executive Order for Improving the Nation’s Cybersecurity, issued in response to these breaches, emphasizes the need for secure-by-design principles, enhanced software supply chain security, and greater transparency and accountability in cybersecurity practices. These mandates align closely with the need to move beyond traditional AppSec and CSPM approaches and toward a more holistic, program-centric model that truly addresses the root causes of security vulnerabilities.
As Gene Kim demonstrates in The Phoenix Project, true organizational transformation requires a holistic approach that aligns people, processes, and technology. In cybersecurity, this means moving beyond CSPM’s limited scope and adopting a comprehensive, product-centric approach that empowers teams and integrates security into every aspect of product development.
The Need for Product-Centric, People-Focused Security
Breaking free from the limitations of traditional AppSec and CSPM requires organizations to embrace a product-centric, people-focused security strategy. This approach rethinks how security is integrated into the product development process, aligning it with DevOps principles and lessons from The Phoenix Project. Security is no longer the sole responsibility of a separate team; instead, it becomes a shared responsibility across the entire product team, with every member empowered to contribute to the security of the product.
Jon Smart’s concept of "safety teams," as highlighted in his talk "Risk & Control is Dead, Long Live Risk & Control," reinforces this idea. Safety teams act as enablers, helping product teams become risk-aware and proactively secure their work without slowing down development. This shift in approach—where product teams manage their own security while receiving support and guidance from safety teams—mirrors the cultural transformation that needs to happen in organizations.
A product-centric security model, much like Smart's safety teams, emphasizes the need for security to align with business objectives, fostering collaboration and continuous improvement. It’s not about adding more tools or creating silos—it’s about creating a unified system where security is embedded into every stage of the product lifecycle. This ensures that security isn’t an afterthought but a core element of how software is built.
At Start Left®, we champion this approach with our PIRATE® model, which integrates real-time threat evaluation, risk prioritization, and micro-training to equip product teams with the tools and knowledge to secure their products autonomously. Just as Jon Smart suggests, this approach allows teams to balance speed and control, ensuring they deliver high-quality, secure software without being hindered by outdated, centralized security controls.
CISA’s Secure-By-Design Guidance: A Validation of the Need for Change
Coincidentally, five years after the introduction of CSPM and the broader adoption of the “Shift Left” approach, CISA (Cybersecurity and Infrastructure Security Agency) released its Secure-By-Design guidance, which encapsulates much of what we’re discussing here. CISA’s guidance emphasizes the need for security to be baked into the design process from the start—echoing the same principles of program-centric, people-focused cybersecurity that go beyond simply shifting left. This validation from a leading authority like CISA underscores the critical need to rethink our approach to cybersecurity.
Reimagining Cybersecurity: The Solution
The approach that we advocate goes beyond simply shifting security left. It’s about rethinking the entire system—creating a unified, program-centric approach that aligns security with the organization’s overall objectives and modern product development practices. This approach is not just about deploying tools; it’s about empowering teams, fostering a culture of security, and ensuring that security is embedded into every aspect of the product lifecycle.
Unlike traditional ASPM approaches, which just act as aggregators, and therefore enablers, of the tool Frankenstack, this approach challenges organizations to break free from the cycle of adding more tools to solve problems. Instead, it encourages a complete reimagining of how security should function within the organization—integrating security into the core of product development, rather than treating it as an afterthought.
Conclusion: A Call to Rethink Cybersecurity
The flaws in traditional CSPM and ASPM approaches are not just technical—they are organizational and cultural. By focusing narrowly on vulnerabilities and infrastructure, these platforms perpetuate the same issues they were designed to solve. As Gene Kim’s The Phoenix Project and Jon Smart's 'Risk & Control is Dead, Long Live Risk & Control' presentation illustrates, true transformation requires a holistic approach that aligns people, processes, and technology.
To achieve true cybersecurity transformation, organizations must move beyond the limitations of CSPM and ASPM and adopt a product-centric, people-focused approach. This means rethinking how security is integrated into the product development process, fostering a culture of collaboration and continuous improvement, and aligning security goals with business objectives. Only by addressing these broader issues can organizations build the resilient, secure software products needed to thrive in today’s digital landscape.
The Path Forward: It's Not About Tools; It’s About People
The path forward in cybersecurity isn’t just about adopting new tools or moving security earlier in the development process. It’s about fundamentally rethinking how we approach security, from organizational design to cultural change to empowering our people. If we continue to build systems based on outdated cultural models, as Conway’s Law warns us, we will continue to face the same vulnerabilities. But by embracing a holistic, program-centric approach, we can break the cycle and create secure systems that are built to last.
This is the essence of starting left—the actual solution that focuses on building security into the DNA of your organization. It's not about enabling old habits; it's about creating a future where security is an integral part of every decision, every line of code, and every product we build.
SHARE!
More Resources
The Best Teams Build World-Class Software
