Throughout a series of recent conversations that I've had with CISOs, a common question has emerged: "How do I get a seat at the DevOps table?"
It's an understandable challenge that many security leaders are grappling with today. Too often, security teams are unaware of what's in their organization's application pipeline until after it's pushed to production. Only then can they assess any potential risk introduced to the business, while simultaneously scrambling to take appropriate action.
To be in the room where it happens, to get that coveted invitation to the DevOps table — and keep your seat for the long run — you must contribute real value. It's not enough to simply be there. It requires a balanced give-and-take.
Adding value happens in different ways. Regarding business, security teams provide essential risk management and mitigation services to organizations, but from the DevOps perspective, more is needed. Security teams need to design programs and introduce solutions that can keep pace with the DevOps workflow. In a word, security needs to bring speed. Here are four ways to make that happen.
1. Forge Relationships
Sure, you can sit in on a few development conversations. It's a great way to initiate efforts around effectively securing applications and infrastructure. You'll learn a lot and maybe even share a few best practices on secure coding. But cultivating collaborative, mutually beneficial relationships requires much more. You have to make the time and effort to get to know your development counterparts. Get smart on DevOps fundamentals, read what they're reading, participate in regular demos, and understand what keeps them up at night, what excites them most about their work. These personal relationships and bits of insider knowledge will help you develop strong security strategies and implement the right solutions to help DevOps teams maintain velocity.
2. Champion Innovation
CISOs and security leaders, it's up to you to reverse the long-held perception of security as a barrier to innovation and growth. In fact, a recent Harvard Business Review Analytic Services study found 73% of respondents believe a CISO's ability to recognize and nurture innovation is "very important." By building relationships with the DevOps team, CISOs can begin to proactively anticipate their evolving needs, get involved in new DevOps initiatives at the start (instead of coming on board after issues are discovered) and even spearhead efforts to adopt new approaches that help drive innovation and speed processes — safely.
3. Speak Their Language
According to Gartner, "CISOs must apply rigor and perspective to the business orientation, cost and value of risk management and cybersecurity." Much has been written on the importance of CISOs "speaking the language of business" by communicating risk in terms of dollars and cents to executive teams and boards. But it can't stop there. Today's CISOs must also speak the language of DevOps. Risk must be communicated in terms of speed. Consider this line as an example: "If we wait to address vulnerabilities after they're uncovered late in the software development life cycle, you'll need to go back, reopen the code that you wrote, refresh your memory on the logic you built, and pinpoint the specific module that's causing a problem. This unnecessary backtracking is going to waste time and slow things down."
4. Deliver Solutions with Value
The primary purpose of the DevOps approach is to speed the development and release of software. It's a comprehensive, continuous process, and increasing speed demands orchestration and automation. To deliver real value to DevOps teams, security must adopt similarly agile methodologies. This means integrating application risk management seamlessly into the entire DevOps process, instead of emerging at inopportune times to fix software and infrastructure vulnerabilities as they surface. It means embracing tools that are fully transparent to developers but also allow them to maintain existing workflows. Such tools should be able to orchestrate and automate the discovery and prioritization of vulnerabilities, speed remediation efforts, and provide a single, consolidated view of risk.
Finding ways to empower DevOps at the speed of business is key to bridging the gap between security and development teams. By providing a security overlay to the pipeline platforms developers already use — from GitHub and GitLab to Azure DevOps and BitBucket — and sharing risk and remediation advice in these platforms' native forms, developers can focus on what matters. That is, the rapid development of high-quality software that drives competitive business and promises a safer, more productive society.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "With New SOL4Ce Lab, Purdue U. and DoE Set Sights on National Security."