When our VP of Engineering announced that the CI/CD and application security teams would merge under one manager in Q1 2022, I expected turbulence. What I did not expect was that the most productive change would come not from shared tooling, but from shared standups. Within two weeks, the security engineers filing tracker tickets into the void were sitting next to the people who maintained our deployment pipelines.
The first month was chaos
Security engineers spoke in CVE identifiers and threat models. Platform engineers spoke in pipeline stages and deployment frequencies. For the first three weeks, every sprint planning session felt like a translation exercise. The first useful artifact was not a policy memo; it was a shared pipeline map with owners, checks, and release gates on one page.