Can security become a routine? A study of organizational change in an agile software development group

Organizational factors influence the success of security initiatives in software development. Security audits and developer training can motivate development teams to adopt security practices, but their interplay with organizational structures and routines remains unclear. We studied how security consultancy affected organizational routines in a software development group. Security consultants tested their product, reported vulnerabilities, and delivered a security training. We followed the group during and after consultancy events. As a result of the consultancy, group members improved their understanding of security issues, but could not effect a change of routines within the given organizational structure. They handled vulnerabilities in a stabilization routine without changes in feature development, where security remained intangible. Interestingly, group members acknowledged an unfulfilled need for change but defended the structure inhibiting change. Security initiatives need to consider this interplay of structure and situated practice, and manage change in addition to providing expertise and tools.