DevSecOps can transform how your organisation delivers secure systems quickly. However, true success requires addressing often-neglected aspects of organisational and cultural change.
Now, we know that cultural change can be hard for engineers, but in many cases, it is even harder for leadership teams and boards!
As such, it is vital to identify the right pilot projects, where there is a very real security need but where the risk is manageable. This should allow your people to focus on proving out DevSecOps’ potential without exposing your business to unnecessary risk.
With the right balance of technical skills, empathy and communication abilities your teams will inevitably showcase how the methodology & its philosophy can deliver on the promise that it can deliver ‘better security’.
Let’s get to it, in more detail.
Mature organisations have well-established structures, processes and ways of working to keep data, information and systems secure. This is especially vital in highly regulated industries where large volumes of personal and sensitive data are processed and managed about customers’ wealth, health and energy use.
Historically, these structures involved separate deliver-and-operate functions and information security or cyber security teams that would be responsible for system assurance. Now, whilst separating assurance out has helped keep information secure, it has also created inefficiencies, slowing down releases and increasing ongoing costs.
Enter a new philosophy…
DevOps, a cultural philosophy, framework and set of practices, which combines delivery and operations, has become a software development industry standard. DevSecOps is built on this philosophy, aiming to align another element of the operational structure into a combined function rather than a siloed composite part.
However, the transition to DevSecOps, which incorporates security into the core operational delivery lifecycle can be fraught with peril – and full of questions as to risk and operational management.
DevSecOps, could be thought of as a buzzword… but it isn’t, it is a way of working or an approach with many definitions.
However, at its core is a methodology, practice & framework for reduced delivery cycle times, lower security and privacy risks, and improved visibility of security decision-making.
However, achieving these benefits requires more than merely technical or procedural changes; it involves a cultural and behavioural shift.
Waracle suggests that organisations focus on core principles to successfully adopt DevSecOps:
In our experience, successful organisations empower their teams to start small, fail fast, learn, and progress quickly. Strong leadership communication and awareness of DevSecOps’ benefits will only ever be encouraged through cross-team collaboration, which is why we suggest that it is as much a cultural challenge as it is a process and ways of working challenge.
If you are starting out on your DevSecOps journey, it is wise to seek out discipline expertise and plan small but scalable test environments within your CI/CD pipelines.
DevSecOps emphasises automated vulnerability scanning and secure coding practices. While essential, these are only part of the solution… Incorporating Security by Design and Privacy by Design during the discovery, design and delivery stages of your agile software development cycle is crucial to prevent expensive remediation at a later date.
Agile security testing as part of quality assurance (QA) will help you identify vulnerabilities that automated tools may miss. Embedding security within live services allows for rapid, adaptive changes to platform security controls as threat intelligence or risk profiles evolve.
Decoupling security from delivery teams can lead to an “assurance” mindset, where security is seen as a blocker rather than an enabler. Integrating security into you product teams requires a shared vision with security at its core. The focus should shift from “Is this too risky?” to “Can we design to mitigate these risks?”
With security fully embedded in the DevOps pipeline, separate security programmes may become significantly simplified (or in some verticals almost obsolete). Security requirements owners must prioritise making security risks relevant to the business and making prioritisation work. This involves clearly describing the business impact of not delivering a requirement and actively participating in requirements prioritisation.
DevSecOps can be transformative, but it requires addressing organisational and cultural changes. Identifying the right pilot projects and staffing them with team members who possess the right balance of technical skills and communication abilities is crucial.
Linking DevSecOps efforts with ongoing digital transformation initiatives can help reduce costs and tap into existing skills and mindsets. There’s no one-size-fits-all approach, but successful DevSecOps transformations must address the critical role of cultural and organisational change in fostering collaboration, establishing effective practices, and achieving shared goals.
Organisations can learn from the open and collaborative DevSecOps community. By continually assessing impact, learning from others, and not being afraid to pivot, businesses will inevitably find out what works best for them.
If you are trying to drive forward a conversation about the change needed to create value from DevSecOps and need a reputable partner to support you as you drive through the organisational change necessary, then get in touch.