Rafal has a very nice post up that explores why security folks have such a hard time getting application developers to care about secure coding.

As I was reading that post, two ideas merged in my poor little head. This was cause for celebration because it doesn't happen very often 🙂

Thought #1: Ask, Don't Tell

I recently attended a class provided by my employer called Adaptive Leadership. One of the tenets of this class is that is often more productive to ask than to tell. What does that mean?

When we tell somebody to do something or give specific instructions, they have no investment in the outcome.

However, if we ask the right questions and lead their thoughts down the right path, we give them the opportunity to invest in the outcome. If we do this well, we then have somebody who has convinced themselves that this is the right thing to do, whatever that right thing may be.

Thought #2: Engagement

This video, RSA Animate - Drive, is a synopsis of Daniel Pink's book Drive. I have just started reading it so don't have detailed knowledge of the thoughts ideas introduced in the book yet. One thought I did get from the video is that engagement is key to performance, performance, in this case, being caring about secure coding practices.

Engagement means that the individual cares about what they are doing. That they are invested in the outcome.

Thought Merge: Ask, Don't Tell To Get Engagement

If we can use 'ask, don't tell' to get people invested in something and getting people invested in outcomes produces engagement, might we not end up with developers who care about producing secure code?