In many ways, the DevOps process looks a lot like cooking for a large dinner party—with very short notice. DevOps requires the right blend of technical acumen, automated processes and tools to shorten development cycles and cut costs, empowering developers to serve up high-quality applications (or delicious entrees and desserts) in record time. Just like cooking, DevOps is a methodology that encourages experimentation. If something doesn’t taste quite right, you simply adjust the process in the next round of preparation. And, if it’s done right, you can still get a proper dinner on the table when guests arrive.
But what happens when compliance enters the kitchen to make sure security controls are implemented and monitored consistently? When measured against a black-and-white set of rules (whether mandated by a security framework, government body or customer contractual terms) these culinary creations are rendered inedible. The meat is two degrees off from a safe internal temperature, the veggies are missing key nutrients and the cake is lopsided because the batter wasn’t weighed precisely.
DevOps and Compliance: Opposing Agendas
DevOps and compliance teams are focused on—and incentivized by—very different priorities, so naturally, their perspectives are at odds.
DevOps teams are charged with innovating at high velocity to speed up software delivery and enable digital transformation initiatives that create a competitive advantage. According to Puppet, high-performing IT teams that implement DevOps practices are more agile, deploying software and changes 46x more frequently with 440x faster lead times than their lower-performing peers.
On the flip side, compliance teams are responsible for meeting ever-mounting regulations to protect the organization against crippling fines. What’s more, customers’ continued trust rests in their hands. A recent IBM study shows 64% of consumers have opted not to work with a business due to concerns about whether they could keep their data secure.
Simply put, modern business cannot have one without the other. Security and DevOps must unite to serve up DevSecOps.
The Blend of DevSecOps
Having two cooks in the kitchen can get crowded, not to mention that breaking down siloes while unifying DevOps, security and compliance teams to establish new processes takes precious time and resources.
Julia Child didn’t master the art of French cooking overnight. She tested and re-tested (again, again and again) all her recipes, making methodical adjustments until they were absolutely perfect. She learned and adopted new cooking techniques from different cultures. She figured out how to ask the right questions, and successfully implement feedback, to improve her craft.
CISOs and compliance officers can learn a lot from this approach to a craft. Instead of simply focusing on how to do their jobs, they must consider looking at things on a more macro level, reframing their question in terms of overall risk, so it becomes something like:
Whether they’re created by modern ways of working or ever-shifting attack methods, how do I gain complete and continuous visibility of the risks impacting my business?
The answer is clear: by embedding automated, transparent risk management into the entire DevOps process. Or to mix metaphors, from recipe ideation, food shopping and preparation to plate presentation and the meal itself. That is the journey you must take. Here are five ways to start making that shift right now:
- Open the Lines of Communication. DevOps teams are focused on delivering software—they’re not up-to-speed on the latest regulations. It’s up to security and compliance teams to communicate DevOps’ responsibilities and make sure they’re set up for success. Likewise, DevOps teams should be up-front about their processes and engage with security to understand what’s expected of them.
- Cultivate Security Leaders at the Top. Widespread, lasting change requires executive buy-in. Communicate early and often with leadership teams, helping them recognize the importance of change across people, processes and tools to achieve DevSecOps.
- Make Training Collaborative. Each team has something to teach the other. Security can learn coding fundamentals from DevOps teams, while security can enrich developer training with best practices and real-world attack scenarios.
- Be Consistent. Disparate security scanning tools and processes at different points in the software development life cycle (SDLC) can create unreliable results and compliance gaps. Scanning should be integrated across the SDLC and issues should be monitored in lockstep.
- Automate Early and Often. Complex DevOps environments make it nearly impossible to pinpoint and prioritize vulnerabilities—let alone address them quickly. Automating security processes empower developers to address real issues fast, so they can focus on innovating.
Modern business cannot move forward with just one team playing the role of head chef. DevOps and compliance teams must collaborate together to create masterpieces. This is a difficult, but necessary, reality of organizational transformation. Following these steps can help teams align on a common, shared mission—to deliver secure products that create significant business advantage—and “taste” great to the customers they’re trying to reach.