Why Culture is the Biggest Barrier to SecDevOps

Image Attribution: Jedi

There’s a wind of change blowing through the technology industry, striking right at the heart of our information security teams, who are facing a dramatically different world than we’ve seen in the past two decades.

In the new world of IT, automation and business acceleration outweigh the traditional rigor and process used to control risk. This has left many security teams on the sidelines while their counterparts accelerate the delivery of software and services to the cloud. The cloud is to blame (and celebrate) for this evolution of our industry, as it is now possible to dream up products or services that can be called into existence minutes later through cloud providers like Amazon Web Services. We don’t have to wait months for big capital expenditures to materialize as we did in the era of data centers.

Thanks to the DevOps movement, we’re seeing a paradigm shift – from corporate technology silos to integrated teams closely aligning their efforts. Instead of friction between various teams’ differing responsibilities and motivations, we’re seeing greater transparency within organizations due to the strong metrics-driven approach core to DevOps.

However, the apparent success of DevOps transformations still doesn’t address the shortcomings that traditional security models bring to the equation, which is why the DevOps movement has largely been devoid of strong security leadership. The incumbent security technologies typically demand that operational and engineering motivations yield in favor of risk aversion and protective measures, which doesn’t happen as easily in a DevOps world. There is still some cultural resistance happening, where security teams hesitate to give up their veto power, while DevOps teams and the business insist on maintaining their newfound freedom to drive the business forward.

How can we create cultural change to bridge this gap between security and DevOps? It’s largely up to the security teams to take a fresh perspective on how they can integrate their work into the new opportunities of DevOps. Security professionals need to help catalyze the shift from an approver/submitter relationship to an integrated, always-on approach to security in the DevOps processes. Start at the tooling level by understanding and embracing the tools that agile teams use to be successful, and then use this as the foundation for new security opportunities. For example, with continuous integration and deployment, the security team can apply a continuous security philosophy to that model. Teams can deploy tens or hundreds of times a day, while maintaining live security analysis and alerting to avoid human errors or prevent an attack from slipping by within the noise of the changes.

It’s all about creating a “Culture of Yes” within security teams. Instead of seeing the negatives in everything, security teams can embrace SecDevOps concepts and find the way to enable product teams to achieve their goals while actually improving security operations. There’s significant power in saying yes, in a world where “no” has been the de facto standard for so long. Is your organization ready to say yes to SecDevOps?

Disclaimer: This article was written by a guest contributor in his/her personal capacity. The opinions expressed in this article are the author’s own and do not necessarily reflect those of CloudWedge.com.