DevSecOps - Enable your people to take an active cyber security role | Cyber Risk | Deloitte Netherlands

Blog

DevSecOps - Enable your people to take an active cyber security role

Empower teams to embed security into their daily activities

DevSecOps is underpinned by the philosophy of embedding security into every stage of the software development lifecycle with the right ways of working, tools, values, people and culture. Shifting security left transfers security responsibilities to the operational level. People are pivotal for its success but need to be empowered and educated to take up this task.

Written by Boris van Banning

DevSecOps is about embedding security throughout the software development lifecycle through governance, people, process and technology. In our previous blog: ‘Compliance as code – Benefits of DevSecOps from a governance perspective' we stated that “the variety of talent required in the field of cybersecurity means that security should no longer be an IT specific concern”, which highlights the pivotal part that people play in this. In this blog we describe a few key efforts that enable technical and non-technical to take an active role in the company’s cyber security practices.

1. Redefine the skills profile

Integrating security in DevOps requires a change in the way people think and work. This goes beyond awareness: it requires deeper security expertise close to the development teams to be able to use it daily. Integrating security in the organization means that risk is managed not as an afterthought or a gate along the way, but as a persistent principle of operations. This change highlights a gap in skills and qualifications between security professionals and software development professionals, and the need to invest in security education of all employees (regardless of formal educational background). Security needs to be part of everybody’s skill set.

DevSecOps requires everyone in the organization to become an ambassador for security, as it is an integral part of the way of working. This starts with cyber security awareness in the broadest sense. A company-wide mature level of security awareness helps to control threats beyond specific software development threats. The enhanced security culture protects the business against phishing and physical threats, simultaneously it pushes developers to keep security in the back of their mind.

With DevOps the responsibility and sense of ownership for the quality of the product are moving to the DevOps teams themselves, also when it comes to security. To do this they need to be enabled with knowledge and be trained in capabilities to work securely, beyond general awareness. The most established means of doing this is providing hands-on security training to train teams to write secure code, learn how hackers work, use the security tool stack and become more proficient in integrating security by design. Nourish the hacker mindset to encourage DevOps teams to develop with security in mind. The blog on “Process” will elaborate upon having a hacker mindset by doing threat modelling and creating abuser stories.

2. Establish Security Champions and Guilds

As cyber threats come in multiple forms, shapes and sizes there is a need for constant vigilance from everyone in the organization. While it is not feasible or needed to have everyone in a team become a security professional, it is possible to embed security knowledge in every team. It is creating structures that encourage cross functional collaboration in order to leverage expertise and cross-pollinate security best practice.

An effective means doing this is by creating a network of security champions, where a member of each team volunteers to become a security champion. A security champion is a security professional or enthusiast in various layers of the organization who act as the security “conscience” of their teams, thereby encouraging and cultivating security awareness throughout the organization. These persons will receive extra training and information from the centralized security team so they can help their team and educate others. This makes security a network with many nodes in the organization instead of the traditionally centralized department.

In turn champions together can form security guilds within the organization. For example, the security champions within the software development organization forming a guild that organizes specific trainings and liaise with the central security team to continuously improve security in DevOps.

Having security champions is an effective way to cross-pollenate security skills and increase security awareness within and outside development teams. Organizations should empower these security guilds teams and champions to reach their highest potential. By involving everyone in the organization to do their part in security, the security rationale is spread out across the organizational spectrum keeping technologies empowering, reducing their risk by promoting their secure creation and usage.

3. Continuous learning and continuous improvement

DevSecOps relies on iterative and continuous activities (i.e. continuous integration, continuous development) nourished by a culture of ownership and responsibility with the teams. In between the fast incremental changes, continuous feedback and learning is essential to optimize processes, improve products and most importantly improve performance of people in the team.

The phrase, ‘fail often, fail fast’ is a way of working in DevSecOps that encourages people to experiment enabling that continuous improvement. The many small increments in DevSecOps provides the team with moments to review the performance of the last iteration and quickly see the results of a new idea. Whenever your experiment fails, the team will know soon enough and will then know not to pursue that idea in the upcoming sprints without any major consequences for the rest of the development process. Perhaps the next experiment does give you the improvements you hypothesized.

For security the ‘fail often’ should of course be minimized, but in turn the ‘fail fast’ should be maximized: as early in the process as possible. A prerequisite for such a culture is trust and security from a personal perspective. Promote and reward speaking up. Use incidents and mistakes to learn from, not to punish. Part of the cultural change of DevOps is having responsibility and ownership with the teams. This will only succeed when professionals are enabled to do so and feel it will grow them and the team, as well as the quality of their product.

Educating and motivating individuals to reach their ambitions is an important element of growth both for individuals and their environment. It is essential that in this environment people are not only provided with feedback on their performance but also provide feedforward: focusing on what talents do they want to grow and how they are going to achieve that.

People powered performance

As with any new initiatives within the organization, the governance, people, process and technology need to be considered in move into this new integrated way of working. The backbone of all successful transformations are the people that are intrinsically motivated to go the extra mile for their team and the organization. The bottom line is that in order to successfully cultivate a DevSecOps environment, management needs to drive a culture of innovation that consists of openness, transparency, ownership and accountability. Only with the right staff and willingness of people to support such a change in the organization, can the transformation from DevOps to DevSecOps be successful.

Enabling professionals to put the learned skills in practice requires specific security tooling in the development pipeline. Our next blog will therefore focus on technology; embedding automated security tools in the Continuous Integration and Continuous Delivery pipeline to develop secure software.

More information

For more information about DevSecOps or Cyber security, please contact Gijs Zijderveld, Tom Zijderhand, or Jelle Niemantsverdriet via the contact details below.

Did you find this useful?