Soccer is a team sport (and in the case of the World Cup, a global fan sport too!) where the collaborative efforts of players often dictate the game’s winner. Everyone must focus and work together with a single goal and purpose for the common good of the team. These same principles hold true for DevSecOps.
Much like soccer, getting started with DevSecOps requires a team of players in different positions, including development, IT operations and security. It’s a collaborative and inclusive movement that not only encourages individuals to work with other teams and step outside the traditional channels, but also embraces automation and orchestration so they can work together more easily.
However, security has traditionally been viewed as a barrier to velocity and innovation, working separately from the development and IT teams due to cultural, and sometimes language, differences. Just as working individually isn’t a success strategy on the field, it won’t work in DevSecOps, and the team you put together can either carry you to success or get stuck along the way and fall short of expectations.
When exploring how to implement DevSecOps in an organization ask, “Who are the players who will help win the game?”
As with soccer, leadership is essential to DevSecOps. A culture change, one that results in a world where DevOps and SecOps teams can collaborate, must start at the top and trickle down. In soccer, it starts with the coach and works its way through each player. In DevSecOps, it starts with the CIO.
CIOs need to lead the charge and articulate the value of DevSecOps. CIOs should be viewed as a “trusted advisor,” instilling confidence in their C-suite peers as well as clearly articulating to the CEO and board how their strategic initiatives are aligned and empowering the business. Coaches in soccer need to spend time getting to know their players, and similarly, CIOs should spend time with members of the DevOps and security teams to get a view into any cultural biases or differing views of security.
Historically, a contentious relationship has existed between development and security teams and it will be important to figure out how development and security teams can work together and start speaking a common language. This is a valuable part of the process as a cultural transformation can often be more challenging than the technical aspects of DevSecOps execution.
In team sports there is often a team captain, a player that both the coach and other players trust to lead the team in the right direction. In DevSecOps, the team captain is the CISO. The CISO, like other players on the team, often reports to the CIO (a.k.a., the coach), but should be seen as a “trusted peer”, staying highly aligned and collaborative with CIOs around every corporate initiative. The team captain is also often a conduit between the coach and the players. Similarly, CISOs have to bridge the gap between business and technology within the organization. This involves serving as an intermediary who can clearly communicate goals and orchestrate planning and collaboration between DevOps and SecOps teams as well as educate executive teams and demonstrate the benefits that can be achieved over time with a DevSecOps mindset.
Feeling the pressure to accelerate development velocity in order to keep up with digital transformation, developers often view security as a barrier to innovation and their velocity goals. Today, developers need to understand that security is an important part of the process without adding friction so that they can maintain velocity. Developers should collaborate with CISOs and security team members from the beginning and establish a security strategy that’s consistent with the corporate culture. DevSecOps is an evolutionary process that won’t happen overnight. Just as soccer players need to practice to improve and to adapt to different team strategies and game plans, developers need to do the same.
Leveraging both automation and collaboration to shift security testing left into the software development life cycle (SDLC), thus driving the culture of DevSecOps, can facilitate this process. Developers may at first be hesitant to incorporate security into software development for fear that it will interrupt their process. But done right DevSecOps can empower developers to easily secure their applications without disruptions.
When it comes to culture, DevSecOps represents a big change for security teams as it builds on the idea that security is a shared responsibility. In soccer, being able to pass the ball is an important skill to possess, as it not only gets more players involved in the game but can open up opportunities to score. Similarly, security team members will have to alter their long-standing siloed privacy mentality to be more open, and to start sharing more of their reporting across the organization to increase visibility across departments.
Security teams will also need to start working more closely with the application developers. It will be important to understand their daily habits and workflow and devise ways to seamlessly integrate security into the entire SDLC, instead of being the barrier or gate to production deployment. Or worse yet, being bypassed completely. In order to close the chasm that exists between developers and security team members, the organizational lines need to be blurred and security team members need to be an integrated part of the overall development pipeline.
Application and Infrastructure security, especially in today’s high velocity, cloud-first world, is evolving and changing continuously. As a result, it’s important for security to start playing offense in a continuous manner instead of passive defense in which security checks are performed on a weekly/monthly/quarterly/annual basis. This involves moving toward a new approach where automation and orchestration are at the foundation of the application development and deployment processes.
Similar to DevOps, where core tenets involve collaboration, automation, measurement and sharing, DevSecOps emphasizes a collaborative approach and setting common goals. Just as in sports, having a single cross-functional team yields better results than multiple players working individually with different goals.