Is it really necessary to combine the two silos development and operation with the complex world of enterprise security? Wouldn’t that mean to curb the desired agility that comes with DevOps?
As CTO of an IT service provider, I understand where these questions are coming from. Digitalization is all about speed, efficiency and agility, after all. But what is a fast, efficient system worth if it doesn’t pass basic security tests?
Experience shows that DevOps initiatives that fail in the last few phases of the project do not only mean high costs and lost revenue, but they also nip every further attempt at agility in the bud.
Of course, it is complex and daunting to integrate development, operation and security from the very beginning. Security problems are often the death of many promising innovations. However, in the context of DevOps, failing early just means getting another chance to try again.
The question therefore isn’t if DevSecOps should replace DevOps, but how companies can manage a smooth transition.
Same challenges as DevOps
DevSecOps initiatives face almost the same exact challenges as DevOps projects. More often than not, silo structures are not the real problem – organizational changes take care of them. No, what really thwarts innovation is the silo mindset and culture.
Many people believe that developers are creative and chaotic while security experts are perceived to be pedantic and uncompromising. How would they even work together, they ask themselves, and don’t even care to try.
Good news: communication is possible! Experience shows that collaboration between developers, administrators and security experts yields faster results and is more fun for everyone involved.
Management has the most important role to play in a DevSecOps structure; even more so than during DevOps projects. Leaders have to encourage employees who want and inspire change. Open communication with those who fear or don’t want change is imperative. Asking questions is a potent tool to start discussions. There are no right answers to questions like: How can IT and business work together to create and optimize new processes? How can the company succeed even more quickly with DevSecOps?
Diversity is key for successful agile organizations. However, it can be difficult to collaborate for employees at first, after years of sticking to their own departments and silos. Even though most companies aim for Security by Design, development and security are often still two completely different worlds.
Steps to achieve DevSecOps
To become truly agile, companies have to successfully combine these two words. From our own experience with DevSecOps initiatives, NTT Data has compiled some practical steps on how to achieve this fusion.
- Establish a security champion program. Secure development is more fun for everyone!
- Let developers and security experts get to know each other and the other departments, as this will make them more comfortable with and more understanding of the complexity of their tasks.
- People like learning, and learning together fosters companionship and yields faster results.
- Digitalization makes the separation of IT as supplier and business as customer obsolete. Companies therefore have to make sure that they treat both departments fairly and with respect.
- Let developers and security experts define joint goals. It’s imperative that DevSecOps teams can make some decisions on their own.