Conway’s Law: The Flawed Legacy of CSPM & Why "Shift Left" Isn't Enough for True Cybersecurity Transformation

September 19, 2024

The Illusion of a Cybersecurity System: How Traditional AppSec, CSPM & "Shift Left" Apply Traditional Cybersecurity Thinking to Modern Problems, Resulting in Flawed Solutions


Conway's Law tells us that the systems we create are a direct reflection of our organizational culture. Traditional approaches to Application Security (AppSec) and CSPM (Cloud Security Posture Management) are perfect examples of this—they apply traditional cybersecurity thinking to modern problems, resulting in flawed solutions. These platforms are rooted in vulnerability-centric designs that fail to address the core challenges of modern product development. By building on outdated models, they perpetuate the same issues they were meant to solve.


Even in Gene Kim's The Phoenix Project, he illustrates how organizations often create the same problems they intend to solve by failing to address the root causes. Just as in the book, where IT and development teams struggled due to misaligned priorities and siloed operations, cybersecurity today faces similar challenges. Traditional AppSec and CSPM solutions reinforce these silos, focusing on vulnerabilities and tool integration rather than fostering a collaborative, product-centric culture. This perpetuates the cycle of inefficiency and risk.


The Limits of Traditional AppSec & CSPM Approaches: The Pitfalls of Vulnerability-Centric Solutions


As we examine the landscape of modern cybersecurity, it's clear that many CSPM solutions, while well-intentioned, were born out of cultures that focus narrowly on vulnerabilities. This vulnerability-centric design is deeply rooted in the very organizational structures that created the security problems they seek to solve. Take Wiz, for example—a CSPM platform developed by founders who came from Microsoft. While Wiz and similar platforms have made significant strides, they remain fundamentally flawed by design, addressing security from a siloed, fragmented perspective.


CSPMs like Wiz are starting to shift left, integrating security earlier in the development lifecycle. However, this shift often results in creating new silos within their platforms, perpetuating a tool-centric mindset that fails to fully achieve the goals of DevSecOps. Rather than rethinking the system as a whole, these approaches act as “enablers” in the negative sense—allowing companies to continue stacking tools into a Frankenstack, rather than encouraging a holistic reimagining of how cybersecurity should align with modern product development.


CSPMs & Conway’s Law in Action: The Missed Opportunity By Building Silos in One Platform


Conway's Law suggests that the way an organization is structured will dictate the design of the systems it produces. In the context of cybersecurity, this means that a fragmented, tool-centric organizational culture will inevitably lead to fragmented, tool-centric security solutions. The missed opportunity here is profound: rather than leveraging platforms to drive real, transformative change, companies are using them to maintain the very systems that are causing their security headaches.


The true solution lies not in enabling more tools but in reimagining the entire cybersecurity system. It’s about creating an approach that aligns with modern product development, focusing on a program-centric, people-focused model that addresses the core issues of organizational design, cultural change, and people empowerment. Interestingly, [five (5) years after Wiz's founding], Microsoft itself has acknowledged the need for such an approach, restructuring its security governance to align deputy CPSOs with product teams, engaging engineering more deeply, and changing incentivization structures. This move highlights the necessity of addressing foundational issues rather than relying on superficial fixes.


In contrast, the principles of DevOps, as highlighted in The Phoenix Project, emphasize the importance of high-performing teams working in unison to deliver high-quality software. Security should be an integral part of this process, not an isolated function. A true product-centric DevSecOps approach aligns risk management with the actual product teams, ensuring that every team member is engaged in the security process from start to finish.


The Consequences of Flawed Security Approaches: Lessons from SolarWinds and Beyond


The urgency for this systemic shift becomes even clearer when we consider recent high-profile breaches that have shaken the cybersecurity landscape. The SolarWinds breach, which compromised numerous government agencies and private companies, exposed critical flaws in our approach to software supply chain security. This incident wasn't isolated; similar breaches, including those at companies like Codecov, GitHub, and CircleCI, have underscored the vulnerabilities inherent in CI/CD pipelines and the broader software development lifecycle.


These breaches are symptomatic of deeper issues within the cybersecurity system—issues that can’t be solved by simply shifting left or adding more tools. They demand a comprehensive rethinking of how we approach security from the ground up. The President's Executive Order for Improving the Nation’s Cybersecurity, issued in response to these breaches, emphasizes the need for secure-by-design principles, enhanced software supply chain security, and greater transparency and accountability in cybersecurity practices. These mandates align closely with the need to move beyond traditional AppSec and CSPM approaches and toward a more holistic, program-centric model that truly addresses the root causes of security vulnerabilities.


As Gene Kim demonstrates in The Phoenix Project, true organizational transformation requires a holistic approach that aligns people, processes, and technology. In cybersecurity, this means moving beyond CSPM’s limited scope and adopting a comprehensive, product-centric approach that empowers teams and integrates security into every aspect of product development.


The Need for Product-Centric, People-Focused Security


Breaking free from the limitations of traditional AppSec and CSPM requires organizations to embrace a product-centric, people-focused security strategy. This approach rethinks how security is integrated into the product development process, aligning it with DevOps principles and lessons from The Phoenix Project. Security is no longer the sole responsibility of a separate team; instead, it becomes a shared responsibility across the entire product team, with every member empowered to contribute to the security of the product.


Jon Smart’s concept of "safety teams," as highlighted in his talk "Risk & Control is Dead, Long Live Risk & Control," reinforces this idea. Safety teams act as enablers, helping product teams become risk-aware and proactively secure their work without slowing down development. This shift in approach—where product teams manage their own security while receiving support and guidance from safety teams—mirrors the cultural transformation that needs to happen in organizations.

A product-centric security model, much like Smart's safety teams, emphasizes the need for security to align with business objectives, fostering collaboration and continuous improvement. It’s not about adding more tools or creating silos—it’s about creating a unified system where security is embedded into every stage of the product lifecycle. This ensures that security isn’t an afterthought but a core element of how software is built.


At Start Left®, we champion this approach with our PIRATE® model, which integrates real-time threat evaluation, risk prioritization, and micro-training to equip product teams with the tools and knowledge to secure their products autonomously. Just as Jon Smart suggests, this approach allows teams to balance speed and control, ensuring they deliver high-quality, secure software without being hindered by outdated, centralized security controls.


CISA’s Secure-By-Design Guidance: A Validation of the Need for Change


Coincidentally, five years after the introduction of CSPM and the broader adoption of the “Shift Left” approach, CISA (Cybersecurity and Infrastructure Security Agency) released its Secure-By-Design guidance, which encapsulates much of what we’re discussing here. CISA’s guidance emphasizes the need for security to be baked into the design process from the start—echoing the same principles of program-centric, people-focused cybersecurity that go beyond simply shifting left. This validation from a leading authority like CISA underscores the critical need to rethink our approach to cybersecurity.


Reimagining Cybersecurity: The Solution


The approach that we advocate goes beyond simply shifting security left. It’s about rethinking the entire system—creating a unified, program-centric approach that aligns security with the organization’s overall objectives and modern product development practices. This approach is not just about deploying tools; it’s about empowering teams, fostering a culture of security, and ensuring that security is embedded into every aspect of the product lifecycle.


Unlike traditional ASPM approaches, which just act as aggregators, and therefore enablers, of the tool Frankenstack, this approach challenges organizations to break free from the cycle of adding more tools to solve problems. Instead, it encourages a complete reimagining of how security should function within the organization—integrating security into the core of product development, rather than treating it as an afterthought.


Conclusion: A Call to Rethink Cybersecurity


The flaws in traditional CSPM and ASPM approaches are not just technical—they are organizational and cultural. By focusing narrowly on vulnerabilities and infrastructure, these platforms perpetuate the same issues they were designed to solve. As Gene Kim’s The Phoenix Project and Jon Smart's 'Risk & Control is Dead, Long Live Risk & Control' presentation illustrates, true transformation requires a holistic approach that aligns people, processes, and technology.


To achieve true cybersecurity transformation, organizations must move beyond the limitations of CSPM and ASPM and adopt a product-centric, people-focused approach. This means rethinking how security is integrated into the product development process, fostering a culture of collaboration and continuous improvement, and aligning security goals with business objectives. Only by addressing these broader issues can organizations build the resilient, secure software products needed to thrive in today’s digital landscape.


The Path Forward: It's Not About Tools; It’s About People


The path forward in cybersecurity isn’t just about adopting new tools or moving security earlier in the development process. It’s about fundamentally rethinking how we approach security, from organizational design to cultural change to empowering our people. If we continue to build systems based on outdated cultural models, as Conway’s Law warns us, we will continue to face the same vulnerabilities. But by embracing a holistic, program-centric approach, we can break the cycle and create secure systems that are built to last.


This is the essence of starting left—the actual solution that focuses on building security into the DNA of your organization. It's not about enabling old habits; it's about creating a future where security is an integral part of every decision, every line of code, and every product we build.

SHARE!

More Resources

March 26, 2025
Application Security Posture Management (ASPM) and Developer Security Posture Management (DevSPM) tools promise visibility, prioritization, and increased security coverage—compelling offerings for any security-conscious organization. However, there's a critical gap that technical evaluations led solely by AppSec engineers often overlook.
March 22, 2025
From Reactive to Engineering Excellence In our original " Toyota Moment " post, we exposed the fundamental flaw in how cybersecurity has evolved: we’ve treated it like post-production inspection, not like quality engineering. This follow-up digs deeper into how we got here, why the industry's stuck in a loop, and what the shift to Execution Intelligence really means. The security industry, much like early manufacturing, was built on reactivity—not design. But just as Toyota revolutionized manufacturing with Lean systems and embedded quality, software security is ready for its own transformation. 🔁 Here’s how it’s played out over the last 25 years: REACTIVE (2000-2015) — Piling on tools, alerts, and policies ⬇ WARRANTY (2015-2025) — CSPM + GRC retrofits risk after code ships; shift-left emerges ⬇ PROACTIVE (2022-2026) — ASPM solves what CSPM misses (but only tracks and doesn't fix the overarching problems with the security "system") ⬇ EXCELLENCE (2025-FUTURE) — Start Left as a methodology connects risk to developer behavior and builds security into execution itself
March 19, 2025
Traditional Application Security Posture Management (ASPM) vendors are getting it wrong because they’re focused on the wrong unit of measure.
March 13, 2025
The Industry is Stuck in a Broken Model For decades, cybersecurity has been a bolt-on process—chasing vulnerabilities, enforcing controls, and tracking risks instead of fixing the way software is built. The result? More tools, more alerts, more friction—but no real improvement in execution. Engineering continues to move forward, shipping faster than ever, but security remains reactive, layered on at the end of the development lifecycle, slowing teams down.
January 17, 2025
Security teams often rely on CSPM (Cloud Security Posture Management) and Runtime Protection to safeguard cloud environments and applications after deployment. However, these solutions fail to address the root cause of vulnerabilities—unsecure development practices.
January 10, 2025
The Shift from Developer-Led to Developer-Championed Security
January 3, 2025
The cybersecurity industry loves yet another good buzzword. Right now, CNAPP (Cloud-Native Application Protection Platform) is the term being marketed as the ultimate convergence of ASPM (Application Security Posture Management) and CSPM (Cloud Security Posture Management). But here’s the reality: CNAPP isn’t truly a best-of-breed convergence—it’s an acquisition-fueled patchwork of separate tools stitched together.
December 13, 2024
Discover the hidden costs of ignoring Security by Design. Learn why embedding security into your software development process is essential to avoid compliance risks, customer trust issues, and operational inefficiencies. Explore best practices to safeguard your growth and future-proof your business.
November 21, 2024
While CSPM & ASPM platforms stitched together in an acquisition claim to offer an integrated approach to security by aggregating data across the full lifecycle of software development, they often fall short of delivering true integration. Instead of fostering a cohesive, product-centric DevOps model, these platforms inadvertently create silos within their own systems. The root of the problem lies in the way these platforms are designed—they focus on providing lifecycle scan aggregation without addressing the need for a people-focused, product-centric implementation that truly facilitates DevSecOps.
Show more
Share by: