DevOps and Security Belong Together

Is it really necessary to combine the two silos development and operation with the complex world of enterprise security? Wouldn’t that mean to curb the desired agility that comes with DevOps? As CTO of an IT service provider, I understand where these questions are coming from. Digitalization is all about speed, efficiency and agility, after all. But what is a fast, efficient system worth if it doesn’t pass basic security tests?

Experience shows that DevOps initiatives that fail in the last few phases of the project do not only mean high costs and lost revenue, but they also nip every further attempt at agility in the bud. Of course, it is complex and daunting to integrate development, operation and security from the very beginning. Security problems are often the death of many promising innovations. However, in the context of DevOps, failing early just means getting another chance to try again. The question therefore isn’t if DevSecOps should replace DevOps, but how companies can manage a smooth transition.

Same challenges as DevOps

DevSecOps initiatives face almost the same exact challenges as DevOps projects. More often than not, silo structures are not the real problem—organizational changes take care of them. No, what really thwarts innovation is the silo mindset and culture. Many people believe that developers are creative and chaotic while security experts are perceived to be pedantic and uncompromising. How would they even work together, they ask themselves, and don’t even care to try.

Good news: communication is possible! Experience shows that collaboration between developers, administrators and security experts yields faster results and is more fun for everyone involved.

Management has the most important role to play in a DevSecOps structure; even more so than during DevOps projects. Leaders have to encourage employees who want and inspire change. Open communication with those who fear or don’t want change is imperative. Asking questions is a potent tool to start discussions. There are no right answers to questions like: How can IT and business work together to create and optimize new processes? How can the company succeed even more quickly with DevSecOps?

Diversity is key for successful agile organizations. However, it can be difficult to collaborate for employees at first, after years of sticking to their own departments and silos. Even though most companies aim for Security by Design, development and security are often still two completely different worlds.

Steps for the implementation of DevSecOps

To become truly agile, companies have to successfully combine these two words. From our own experience with DevSecOps initiatives, NTT Data has compiled some practical steps on how to achieve this fusion:

• Install a security champion program.
• Secure development is more fun for everyone!
• Allow specialists for development and safety to observe in the respective other department
• Getting to know each other promotes understanding of the common task
• Provide training opportunities
• People want to learn—learning together promotes joint success
• Shape the relationship between IT and business fairly
• With increasing digitization, the old division into IT as supplier and business as customer no longer fits
• Set common goals, which includes allowing DevSecOps teams to make decisions together.