Integrating Security into an Spotify Model (and using Squads for Security teams)
View the original Working Session contentOutcomes/Deliverables
- The session’s aim was to produce a best practice cheat sheet
- However in session there was a general discussion about what squads are and how their work can be optimised.
Synopsis and Takeaways
- Squads are small, usually numbering no more than eight people
- Squads operate within Tribes, and both operate within Chapters
- Cross-functional teams
- Squads provide a framework for autonomy
- Autonomy is paramount: the squad can decide what to build, how to build it, and how to work together while building it
- Squads work better when they have reached a certain level of maturity
- Success of the squad system depends on the management style and corporate culture - there may need to be adjustments
- A Pilot should offer proof, or at least show where changes/tweaks are needed in order for the squad to succeed
- Squads allow for speedy restructuring and disbandment
- They need [Retros](see https://labs.spotify.com/2017/12/15/spotify-retro-kit/) - regular health checks for squads
- It is important that squad members don’t block other members from delivering value
- It is possible to assign security people to your squad on a part-time basis, for example, two days a week. This will work as long as their time for those two days is fully utilised
In relation to Security the following points were made:
- Security team members can be embedded in a different squad, e.g. TechOps, WebOps, etc.
- or vice versa: embed a TechOps/WebOps member in the Security team for six months, so they can learn the methods and priorities of Security
- A Security expert within a business should ideally be part of a number of squads
- This practice will help to grow a network of Security Champions
- Squads work well outside Security; examples were given of squads working successfully within marketing and HR