# Making open source security work across every department

This recap from from the Open Source Security Summit discusses how organizations can build open source security practices that reach every department.

*By Bitwarden Events*

*Published: April 16, 2026*

---

Open source security works best when every team can participate, not just the engineers. At the [2025 Bitwarden Open Source Security Summit](https://bitwarden.com/fr-fr/open-source-security-summit/), technology journalist Bree Fowler moderated a panel featuring Patrick Ward, Director of IT at Veritas Prime, and Jason Mayde, Chief Technology Officer at Highwire, on how organizations can build open source security practices that reach every department.

[![Vimeo Video](https://vumbnail.com/1123726385.jpg)](https://vimeo.com/1123726385)
*[Watch on Vimeo](https://vimeo.com/1123726385)*

## Transparency drives inclusivity

Open source transparency gives both technical and non-technical stakeholders a shared view into how their tools work. Ward emphasized that this visibility allows non-technical teams to verify solutions meet organizational requirements. When a closed-source tool claims "military grade" encryption, that claim is unverifiable.

> With open source, "you can actually peer inside and confirm what level of encryption is in place, satisfying all levels, technical and non-technical." – Patrick Ward, Director of IT at Veritas Prime

Mayde added that projects should include security documentation and FAQs written for both audiences, reducing knowledge barriers between departments.

These benefits extend beyond just verifying code. When non-technical teams understand what open source tools do and how they work, organizations are better positioned to address common misconceptions.

## Two myths about open source security

Two persistent myths about open source security came up during the panel.

The first myth is that open source code is more susceptible to malware injection. Most projects counter this with robust pull request processes and continuous deployment integrations that run automated security scans, catching vulnerabilities before they reach production.

The second myth is the perception that open source software is unreliable or unprofessional. Many of the world's largest companies run on open source infrastructure, with Linux being a prime example. Dedicated companies now offer professional support for open source products, eliminating the old concern about where to turn when something breaks.

Once misconceptions are addressed, the next challenge is practical: how do organizations balance strong security with ease of use while maintaining the collaborative transparency that makes open source valuable?

## When security and usability compete

Security and usability often conflict, regardless of whether software is open or closed source. Ward noted that while open source transparency provides some security assurance through community scrutiny, organizations still need to think about "what compensating controls can be implemented along with that solution to achieve the goal of the security program."

Mayde stressed that security belongs at every organizational level, not just within individual projects.

> "It's security by design and incorporating security at all levels — not just at the project level, but the full organizational level, creating a culture of security across your entire organization." – Jason Mayde, CTO at Highwire

One area where that balance is especially visible is in product design. When security tools are intuitive, users engage with them rather than working around them.

## Good user experience (UX) builds trust

Ward pointed to Bitwarden Password Manager as an example of how thoughtful design makes security accessible. Features like password breach checking, autofill prompts, and clear visual indicators, such as the locked vault icon, help non-technical users understand their security status without needing to know the underlying mechanisms. He also noted that UX is not static; to reach diverse audiences, design elements must be constantly evaluated against user habits so the experience evolves naturally.

Mayde cited Firefox as another strong example, highlighting its clear privacy controls, security indicators, and automatic updates.

That same principle of meeting users where they are extends to a global scale.

## Security across cultures

Making security practices work globally requires more than translation. Mayde highlighted the importance of truly localizing content by adapting it to cultural context rather than simply converting words between languages. Firefox, which he also cited for its UX, demonstrates this at the localization level — adapting down to cultural nuances rather than just translating interface text. Inclusive language and continuous training across languages also play a role.

Ward agreed, noting that translating a security guide from English to Hindi does not guarantee effectiveness. Including contributors from diverse backgrounds who understand the target culture produces stronger outcomes.

## Keeping pace with change

Open source tools evolve rapidly. Ward recommended that organizations define overarching security program goals independent of specific tools. Properly designed complementary controls allow teams to achieve consistent outcomes regardless of which systems are in place.

Mayde recommended combining automation with active community engagement and proactive security measures. Regular audits and vulnerability assessments help organizations stay current as tools and threats change.

> "The threats are coming in. They're using automation, so we have to stay one step ahead of them." – Jason Mayde, CTO at Highwire

Both panelists agreed that automation is no longer optional. It creates sustainable, scalable systems without requiring proportional staffing increases.

## Communicating security to non-technical teams

Ward called people "the weakest component in any security architecture," but pointed to a clear solution.

> "The best way to ensure non-technical departments adhere to good security practices is through very deliberate, targeted training and carefully designed technical controls that enforce — not just suggest — the desired security practices." – Patrick Ward, Director of IT at Veritas Prime

### Balancing security without creating shadow IT

When security heavily outweighs usability, Ward warned, "you're more likely to introduce shadow IT scenarios." Striking the right balance means designing controls that protect the organization without driving people to circumvent them.

Mayde added that demonstrating business impact helps users understand why security practices matter and how they benefit both individuals and the organization.

## Learning from user feedback

Non-technical users often provide valuable security insights. Mayde cited password resets as a recurring pain point throughout his career. Feedback from users helped him streamline those processes while maintaining security, and surfacing security dashboards gave users direct access to the information they needed.

> "The way to have absolute security is to unplug it. If you can't use it, it's secure. But you have to be able to use it." – Patrick Ward, Director of IT at Veritas Prime

Ward shared a lesson from early in his career, when he tended to over-engineer security solutions in pursuit of that "absolute security." In one case, a system he designed to reboot after each logout prevented employees from clocking in during shift changes. The experience reinforced that, as he put it, "you have to incorporate user feedback through the lifecycle of a system rather than reacting to the consequences in production."

## Get started with Bitwarden

Transparent, accessible security starts with the right tools. [Get started with Bitwarden Password Manager](https://bitwarden.com/fr-fr/pricing/business/) to give every team, technical and non-technical, a shared foundation for stronger security practices.