In general, people value results. They value things they can see and use. And they especially value things that make their daily work easier. This is why the DevOps process was created in the first place. DevOps is all about collaboration and getting quality applications out the door quickly; it’s about doing things precisely because they produce certain positive results. But there’s one place where DevOps isn’t seeing the outcomes they need, one area where more benefits and less work would be a welcome change. Security.
Where the Results Live
As we know, many organizations have created successful Security Champions Programs to empower their people and find better ways to unite security and DevOps. And they are enjoying some excellent results. This is obviously a great start, but it really only addresses half of the problem. What about a DevOps Champion? What could this new breed of superhero do for security?
Just as AppSec needs Security Champions to “speak the language” of developers, DevOps needs translators to liaise with the security branch, who can communicate information around complex details like tool integration, daily workflows and realistic deadlines. DevOps by nature is a high-velocity process, where new technologies are always being leveraged in the name of better software. It makes sense for security teams to advocate for developers by providing the information and solutions they need to keep their valuable applications protected. But to really make the partnership work, Security Champions need a counterpart who lives within AppSec teams as well.
Capes Come in Different Colors
Security Champions Programs within DevOps teams first came about because developers are typically not security experts, and they need advocates who understand their pain points. As such, these champions are DevOps pros who recognize the criticality of security within software excellence. A “DevOps Champion” within the security branch would do much of the same by communicating key issues around their unique concerns and workflows. Keeping security teams in the loop on what’s going on in DevOps opens up dialogue and empowers both teams to speak the same language, not just the one they know best.
Even though this type of partnership is still evolving, establishing close alignment between security and development, each with its own “Champion,” is a sure path to success. In this way, DevOps and Security Champions are a bit like tribal Chieftains, who meet to share the concerns of their respective people. And once they have communicated their own needs and listened to the other side, each Champion returns to their respective people (and the larger organization) with new security insights, solutions and best practices.
A Changing Game
DevOps Champions for security have the potential to change the game, as they instill a sense of shared responsibility and communicate the need for ongoing collaboration with security. Developer expertise in security not only makes the business stronger and more competitive, but it also ensures the overall excellence of today’s software doesn’t suffer from something as simple as communication breakdown.