The global and independent platform for the SAP community.

DevOps, but secure

Integrating the development and operation of software is a declared goal of every DevOps initiative. In view of the complexity of this task, many companies ignore security for the time being. But this is a fatal mistake.
Oliver Köth, NTT Data
September 5, 2019
DevOps Column
avatar
This text has been automatically translated from German to English.

Does it really make sense to merge the two silos of development and operations with the hermetic world of security to create an agile organization? Doesn't that mean slowing down the agile momentum of DevOps right away?

Admittedly, as the CTO of an IT service provider, I understand questions like these all too well. After all, digitization is all about fast results. Systems that can be introduced quickly and operated efficiently.

But what's the point if development seems to be completed in record time, but the product then fails safety tests? Experience shows: In addition to high costs and missed revenue opportunities, such a DevOps approach that fails too late also damages the agile strategy behind it.

It is true that the agile organization makes it difficult to establish development, security and operations as a whole right from the start. Security problems nip many a hopeful development in the bud.

But here, too, it is important to see early failure as an opportunity that can save expensive bad investments. So the question is not whether DevOps will become DevSecOps, but how it can succeed.

The obstacles on the way to a DevSecOps organization are hardly any different from those that any DevOps approach has to contend with anyway: In addition to the silo structure, which can be changed by organizational measures, it is the entrenched silo culture that lives on in people's minds.

The contrasts between "creative but chaotic" developers and "uncompromising, pedantic" security experts are even more apparent here than in the interaction between development and operations.

The good news for all involved: Understanding is possible! In fact, experience shows that team-oriented collaboration between developers, administrators and security experts produces better results faster and is more fun at the same time.

The most important task in implementing a DevSecOps structure lies with the top management. It must establish culture brokers who want change, find like-minded people and can inspire others to do so.

First of all, therefore, an open exchange within the existing framework is necessary that does not shy away from confrontation between forces that insist and those that want to change. This is where the actors can be found, who together develop structures of mutual adaptation and connection. In concrete terms, it is a matter of asking questions.

Not to get the "right" answers, but to get the discourse going: How can IT and business work together to improve existing processes and create new ones? What do the previous silos need to know about each other for this? How can we achieve more faster with DevSecOps?

Diversity in the team is a key to successful agile organizations. But how do interdisciplinary teams operate when for years each department has worked for itself? Despite all the commitments to security by design, development and security are still two worlds apart in most companies today.

In merging these worlds into an agile organization, the following practical steps have proven successful in NTT Data DevSecOps projects worldwide:

  • Install Security Champion program
  • Safe development is more fun
  • Allow specialists for development and safety to observe in the respective other department
  • Getting to know each other promotes understanding of the common task
  • Provide training opportunities
  • People want to learn - learning together promotes joint success
  • Shape the relationship between IT and business fairly
  • With increasing digitization, the old division into IT as supplier and business as customer no longer fits
  • Set common goals, which includes allowing DevSecOps teams to make decisions together.

https://e3mag.com/partners/ntt-data-deutschland-gmbh/

avatar
Oliver Köth, NTT Data

Oliver Köth is CTO at NTT Data Germany.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 20, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.