Achieving customer value with any digital transformation initiative requires an organizational and cultural shift across the enterprise to align people’s efforts with customer priorities. We see such cultural change in software development shops in particular, as DevOps becomes the standard approach to delivering quality software at the velocity the business requires.
By Jason Bloomberg, President, Intellyx
There is a dark underbelly to digital transformation-driven customer value, however: cybersecurity risk. The more technology-centric our organizations become and the faster they go, the greater the chance that a hacker will find that one vulnerability that will suck away all that hard-earned customer value.
The downside of cybersecurity risk certainly garners more headlines than the upside of digital efforts to be sure – and an increasing number of executives are realizing that they must address both together.
The inevitable conclusion: how organizations deal with cybersecurity risk must also transform. They cannot simply keep dealing with such risks as they have in the past.
The Transformation of Cybersecurity
Just as digital transformation requires breaking down organizational silos, so too with cybersecurity. “Security needs to be part of everyone’s job,” explains Fraser Scott, Cloud Security & DevSecOps at Capital One. “Security being a constant blocker just won’t scale. Either that or you end up with shadow IT.”
Traditional IT shops relegate ‘information security,’ or InfoSec, to a separate department. Developers must then run their code by InfoSec for approval. This state of affairs slows application development (‘appdev’) down and creates an adversarial relationship between the appdev and InfoSec teams.
From the perspective of modern appdev, such blocking both impacts customer value and also doesn’t serve the goals of cybersecurity. “The problem for the security person who is used to turning around security reviews in a month or two weeks is they’re just being shoved out of the game,” says Gene Kim, DevOps thought leader and co-author of The Phoenix Project. “There’s no way with how InfoSec is currently configured that they can keep up with that. So, InfoSec gets all the complaints about being marginalized and getting in the way of doing what needs to be done.”
Large enterprises are clearly understanding this transformation within the cybersecurity ranks. “In order for InfoSec and agile to be effective in an organization, you can’t have it locked up with a few people or a few departments that are narrowly looking at their portfolio of work,” says Julie Tsai, director of engineering in information security at Walmart Global eCommerce.
The Rise of DevSecOps
If breaking down the siloed InfoSec team and spreading the responsibility for security across the organization sounds familiar, you’d be right – it’s an extension of DevOps, the cultural and organizational shift that has been dissolving the boundaries between appdev and operations for several years now.
The result is ‘DevSecOps’ (or ‘SecDevOps’ or even ‘DevOpsSec,’ depending on whom you ask). “Because developers drive the software agenda, their participation is crucial for achieving a more secure framework,” explains a white paper from security vendor Veracode. “Yet simply acknowledging this fact won’t get the job done. As a developer, you need to position yourself at the center of an application security strategy, and DevSecOps represents the natural evolution of the concept.”
In other words, DevSecOps doesn’t simply amount to dropping a security person onto a DevOps team, a mistake many organizations have made. “The security teams, however, face the biggest adjustment,” the white paper continues. “Security people need to abandon the mindset of check-box compliance, or else get left behind as DevOps takes off.”
Capital One’s Scott emphasizes this point. “DevOps doesn’t mean one unicorn engineer doing all the things. It means breaking down the traditional silos,” Scott explains. “You might end up with a single functional team that has a mixture INSIGHT of software engineers, QA, and security. Or maybe separate teams working together. The trick is getting the right people involved earlier on.” Zane Lackey, who built the cybersecurity effort at Etsy, ties the InfoSec team’s role closely to DevOps. “Its role shifts from being this blocker or gatekeeper to actually thinking about, how do I enable the rest of the business to move faster—whether that’s the development team, whether that’s the DevOps teams—whatever side of the business they’re interfacing with, the real shift becomes, how do we enable them to move faster?” Zane Lackey is currently the CoFounder/CSO at Signal Sciences.
The Role of Tooling in DevSecOps
While DevOps is more of a culture change than a technology effort, it unquestionably depends upon better automation tooling – and so too with DevSecOps. “Automation has a big part to play here because it removes the typical human barriers that introduce slowness and latency,” Scott explains. “Instead of emailing some team a document containing changes to review, a git commit could trigger automated tests that effectively carry out the decision-making process the person would have made.”
Joshua Corman, Chief Security Officer, SVP at PTC emphasizes this point. “DevOps involves processes and toolchains, but I think the defining attribute is culture, specifically empathy,” Corman says. “If you show DevOps teams how security can make them better, then as a reciprocation they tend to ask, ‘Well, are there any choices we make that would make your life easier?’”
Security vendors also see the importance of tooling to DevSecOps, even though it takes a supporting role to the necessary organizational transformation. “We’re baking DevSecOps into the entire software development process,” says Otto Berkes, EVP, and CTO of CA Technologies. “We need an understanding that customers are going through a culture change. We can’t dump tools like Veracode into an organization and expect good use.”
Berkes’ boss, CA CEO Mike Gregoire, echoes this sentiment with advice for management. “Mandating DevSecOps is a fool’s errand,” Gregoire says. “You have to provide tools and training.”
Lackey adds some words of warning. “A lot of the security tools or vendors … have caused us more problems than they’ve actually solved, and so you see developers or DevOps folks … wince when they hear a new security tool coming or something because they’ve had negative experiences in the past,” Lackey warns. “When I think about … enabling those teams with security resources directly, it’s about plugging into what they’re already doing, and really thinking about security as a piece of the DevOps toolchain that folks are already thinking about.”
Better tooling and automation are thus important enablers of DevSecOps, but more important is including security considerations in the DevOps effort broadly – and by extension, across the digitally transformed organization as a whole.
For such organizations, the central principle must be that security is everyone’s responsibility. Given the fact that most of today’s cyberattacks begin with phishing schemes that can target anyone in an organization, this principle is already of primary importance. DevSecOps is one way of making such a principle a reality across the software development efforts essential for any digital enterprise.
About the author
Jason Bloomberg is a leading IT industry analyst, author, keynote speaker, and globally recognized expert on multiple disruptive trends in enterprise technology and digital transformation. He is ranked #5 on Thinkers360’s Top 50 Global Thought Leaders and Influencers on Cloud Computing for 2020, among the top nine low-code analysts on the Influencer50 Low-Code50 Study for 2019, #5 on Onalytica’s list of top Digital Transformation influencers for 2018, and #15 on Jax’s list of top DevOps influencers for 2017.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.