12 Dec 2025

A major oil and gas organisation faced a critical challenge in securing its applications at scale. With a vast, globally distributed technical organisation, security and development teams operated in isolation, each focused on their own priorities.

This siloed approach created significant bottlenecks, leading to slow vulnerability remediation, missed security risks, and frustrated developers.

A common problem in large enterprises

In large, complex organisations, security is often seen as a gatekeeper rather than an enabler. Security teams are tasked with identifying vulnerabilities but lack the mechanisms to ensure fixes are implemented effectively.

Meanwhile, development teams are under pressure to deliver features rapidly, often seeing security as an external function rather than a core part of their workflow. This misalignment results in:

  • Backlogs of Unresolved Security Issues: Security vulnerabilities piled up because developers had no direct accountability for remediation. Without embedded security expertise, fixes were delayed or deprioritised in favour of feature development.
  • Slow, Inefficient Security Processes: Security was treated as an external checkpoint rather than an integrated function. Developers had to hand off security-related work, leading to long lead times between identifying and resolving vulnerabilities—sometimes spanning multiple sprints.
  • Lack of Clear Ownership: Security was considered “someone else’s problem,” rather than a shared responsibility. Without direct security support within development teams, security best practices were inconsistently applied, increasing risk across the organisation.
  • Developer Resistance to Security Processes: Developers often saw security as a blocker rather than a partner. Security reviews felt like an extra burden, slowing down releases rather than enabling a more secure development process.

These challenges are not unique to this organisation—they are common across large enterprises where scale, complexity, and competing priorities make security integration difficult. The organisation knew it needed a different approach—one that would embed security into the development lifecycle without slowing down innovation.

The solution: Embedding security engineers into development teams

To break down silos and improve security efficiency, the organisation introduced Embedded Security Engineers within development teams. This approach ensured that security expertise was always available where it was needed, eliminating bottlenecks and enabling a proactive security culture.

Key Changes Implemented:

  • Security Engineers Became Part of Dev Teams
    • Instead of working as an external function, security engineers were placed directly into development teams.
    • This eliminated handoffs and competing priorities, ensuring security expertise was built into day-to-day development.
  • Security Became Seamless and Developer-Friendly
    • Security engineers worked alongside developers to automate security checks and integrate them into existing workflows.
    • Hands-on support was provided to help developers understand why security fixes mattered and how to address them efficiently.
  • Faster Vulnerability Remediation
    • With security engineers embedded, vulnerabilities were now identified, triaged, and resolved within the same sprint.
    • The organisation moved from reactive, end-of-cycle security interventions to continuous security integration.
  • Building Long-Term Security Capability
    • Developers were trained to proactively manage security in their codebases, reducing dependency on external security teams.
    • Teams created and maintained their own threat models within a few sprints, enabling self-sufficiency in secure development.
  • Minimised Dependency on External Reviews
    • Security was no longer an afterthought that required costly external audits or last-minute fixes.
    • By shifting security “left” into development, teams could proactively manage risks before they became critical issues.

The outcome: Security as an enabler, not a barrier

By embedding security engineers within development teams, the organisation achieved:

  • Faster Security Fixes
    • What once took multiple sprints to resolve was now often fixed within a single sprint.
    • Security became an enabler of fast, secure development rather than a blocker.
  • Stronger Collaboration Between Dev and Security
    • Security was no longer a separate function—it was part of the team.
    • Developers had immediate access to security guidance, leading to better, more secure coding practices.
  • Reduced Bottlenecks and Handoffs
    • Security was no longer a slow-moving external review process.
    • Developers had real-time security support, eliminating delays in identifying and fixing vulnerabilities.
  • A Scalable, Self-Sufficient Security Culture
    • Developers took ownership of security, reducing reliance on a stretched central security team.
    • Teams became security champions within their own projects, ensuring security was integrated into every stage of development.

Conclusion: A model for large-scale security integration

This transformation enabled the organisation to scale its security practices without slowing down development.

By embedding security engineers within development teams, they shifted from reactive security fixes to proactive security integration, ensuring a faster, more resilient approach to securing applications.

Related Links

Staying secure in today’s digital landscape
Design to finish: Approaching access control in healthcare
“Mission: Possible”—stopping the heist before it happens with LiDAR
Martyn’s Law is here: Is your organisation ready?