DevOps plays a critical role in today's business landscape, enabling organizations to automate and innovate swiftly at a time when digital transformation projects put a premium on those capabilities. The benefits of DevOps, though, can only be relied on when related security risk mitigation is considered and embedded into DevOps processes.
In that spirit, here are the top five questions I would pose to DevOps job candidates, as a CISO interviewing them. A common thread in the questions is driving toward an understanding of whether DevOps (or DevSecOps, mindful of incorporating security considerations) candidates view themselves as part of the equation to help address security risk management or are focused more narrowly on just doing their work from an engineering and IT perspective.
1. What Are the Security Benefits of DevOps?
A sound DevOps process can address many security risks. Having an engineer who understands that and can articulate it lets you know there is common ground on which to build, and that engineer will be part of the security team. Automation through DevOps allows for more security controls to be built into the development process; it shifts the accountability for properly implementing these controls to the developer and engineers who are potentially creating the risk. Candidates who recognize the value of that accountability and build on it — such as with better controls like sound configuration management, access controls, system hardening, and asset inventory — are more likely to use the automation that is available to them versus finding a way around the processes.
2. What Security Challenges Have You Encountered in DevOps Models and Environments?
Not everything goes to plan, and plenty of organizations are still in the early stages of maturing their DevOps programs. Understanding what challenges the candidate has seen and had to work through is another great way to learn about the candidate, as well as potentially glean new strategies that have been successful in troubleshooting elsewhere. This question can outline the depth of the candidate's understanding about the importance of security concepts in DevOps models.
Problem-solving capabilities are key in any role, and that holds especially true in a field that calls for working through tricky scenarios, such as navigating requests from the business for security exceptions. Is the candidate the type of person who just accepted the risk and moved on, or did they question the exception and engage the right expertise to find the proper balance between risk and business needs?
3. What Experience Do You Have Integrating Security Into DevOps Methods?
Hearing how people have integrated security into DevOps in a previous role can help the interviewer learn from the candidate and potentially apply some of those insights and capabilities into the organization's own DevOps processes and life cycle. The candidate may have come from an organization that is much further along the maturity curve of driving security through DevOps, which could be very helpful to your organization.
Conversely, if would be a red flag if the candidate does not have experience integrating security into DevOps. More and more security teams are embedding security controls and processes into DevOps, so it would behoove a DevOps candidate to be able to answer that question and speak to examples of how DevOps tooling and methodology has resulted in better security.
This also provides a view into how much awareness and training the candidate possesses related to key security concepts and will help you determine whether you will be starting from scratch or have a good foundation on which to build.
4. Do You Have a Preference for Open Source or Commercial Tools?
For me, the right answer to this question would be to exhibit a nuanced, situational mindset. It is important for DevOps practitioners to understand what the company's culture, vision, methods, and policies are regarding using different types of tools and recognizing what the right tool is for a specific use case.
The ideal candidate would have experience with both open source and commercial tools, understand the pros and cons, and take all of that into account in a thoughtful approach on how to work through these decisions based on the organization's objectives noted above. What you don't want to hear is somebody who, for example, is steadfast about using open source tools exclusively because they will then try to force-feed tools for situations they don't fit, potentially introducing new or additional security, compliance, and risk problems.
5. Do You Consider DevSecOps to Be More of an Enabler or Inhibitor of Digital Transformation?
Most digital transformation projects move at rapid speed and involve new opportunities for a company, which might include bleeding-edge technologies and capabilities. Legacy models are often too slow and cumbersome to adequately support digital transformation. The more barriers that can be removed through DevOps methods and automation, the more organizations will be able to transform quickly and efficiently.
That said, security can't be an afterthought. Security leaders are looking for partners who view DevSecOps (adding security to the mix) as an enabler of digital transformation. Practitioners who view security as an inhibitor in digital transformation are the ones likely to be butting heads with the security team on a regular basis. Conversely, DevOps engineers and developers who are receptive to embedding security into their projects will be equipped to drive security risk down through their normal, day-to-day processes.
In conclusion, although the current job market is creating significant advantages for the job seeker, it is definitely worthwhile to find candidates who have experience with models that embed security into their DevOps processes and automation. As a person accountable for driving security into the organization and making it a business enabler, you must look for the people who will work as part of your security team, not a detriment.