DevRiskOps: Risk management in DevOps

What is DevOps, and what is it supposed to achieve?

DevOps is a concept gaining popularity and succeeding the traditional approach to software development. Its simplest definition is an intersection of development and operations. The objectives are frequent deployment, faster delivery time to market, accelerated innovation, reduced failure rates and better recovery time. DevOps brings excellent benefits to an organisation, increases operational efficiency and supports better delivery of services to consumers.

Whilst bringing advantages, DevOps also increases organisations' exposure to a range of technology risks, including cyber risks. In addition, challenges are presented as a result of DevOps, including the lack of code quality because developers are unfamiliar with QA and roadblocks in operations, the absence of alignment between projects, DevOps and risk management goals, and the lack of fully automated risk characterisation, monitoring, and mitigation. 

Why DevRiskOps, and how should risk and controls teams approach it? 

The utilisation of streamlining and optimising the application delivery process are the essential benefits, bringing significant positive impact to organisations. However, benefits may be undermined by a lack of an intuitive approach to risks and design of controls. Whilst the culture of experimentation and improvement provides a defined level of maturity for risks, the current risk management practices and approach in the DevOps environment require further utilisation and improvement.

The three objectives we are hoping to achieve with DevRiskOps are:

• To better understand DevOps utilisations focusing on risk and delivery optimisation.
• To provide stakeholder insight into the environment at both a technical and granular level, supporting the requirement to demonstrate risks at each level throughout the organisation.
• To maintain a basis to continuously improve the ecosystem with risks pertinent to the organisation at the forefront of the process.

Deloitte’s DevRiskOps helps to support safe and scale adaption of DevOps, underpinned by a risk-based approach mindset when embedding controls. It is important that risk and control teams understand the extent to which DevOps is in use across their organisations at present, and their exposure to technology risks. Teams need to ensure there is a robust risk-based framework in place to ensure risk optimisation, IT and system resilience.

One of the most discussed elements of DevOps is security. This has been discussed intensively in the industry, and is known as DevSecOps. The implementation of DevRiskOps intends to go beyond security risk only and look at the risk in DevOps holistically, considering compliance, software licencing and supply chain.

DevRiskOps approach

The approach consists of four pillars: people; process; technology; and governance. These support teams' coordination, process streamlining, ensure toolchain rationalisation and governance for managing risk, all with a risk-based method.

Based on this, risk practitioners should consider the following when developing their approach:

• Define the scope of the DevOps strategy.
• Identify the DevOps functions and domain.
• Clearly understand the risks in the DevOps domain and map them to the controls.
• Ensure controls are correlated to the various stages in CI/CD pipelines.
• Identify all relevant stakeholders.
• Have an adequate automation process with a comprehensive toolchain and adequate metrics.
• Work towards capability, not pure maturity.

There are benefits to using the above DevRiskOps approach. The support of DevOps risk management objectives by walking alongside DevOps means starting small with a repetitive process, iterative automation, and continuous feedback. It also helps with the establishment and simplification of the software acquisition process.

Summary

DevOps are in place to ensure frequent deployment, faster time to market, accelerated innovation, reduced failure rates and better recovery time. Complementary to that, DevRiskOps provides risk-based, end-to-end monitoring of risks and controls in CI/CD pipelines and assurance of the delivery and deployment of software to enable: 

• Continuous build, development and testing:  mitigating operational risk due to time limitations often incurred between development and testing teams' shipping versions.
• Continuous monitoring supporting mitigation of security and compliance risks and improves uptime.
• Microservices transition: DevRiskOps frameworks enhance the transition by mapping DevOps risks to the proper controls.
• Collaboration between silos: DevRiskOps enables teams to optimise the risk arising from the collaboration.

Implementing DevRiskOps provides many benefits and application of a robust strategy will bring great improvements to any organisation. Notably, it presents enhancements in the DevOps lifecycle, with risks presented to the business. It also enables mobilisation of existing methodologies and capabilities to ensure that existing infrastructure and knowledge are utilised further. Finally, it allows identification of improvements and developments that will reduce the risk landscape presented to the organisation.

If you would like to discuss the contents of this article with one of our experts, who can help you develop a DevRiskOps strategy, please get in touch below.

To read the first article in our cloud risk series, click here: Pivoting to a digital risk and controls mindset | Deloitte UK