DevOps is already in use among 19% of IT organizations, with another 19% in a pilot phase. Another 35% intend to implement DevOps in 2017, thereby “crossing the chasm” next year, according to survey results announced by a major analyst firm whose conference on data center, infrastructure and operations was held last week.
As DevOps becomes mainstream, there is an inevitable draw to incorporate security into the discipline. Whether the term “DevSecOps” catches on or not, the idea that security must “shift-left” to move earlier into the software supply chain is an idea whose time has come.
What is DevOps?
Before addressing the future of including security in DevOps, it may be helpful to define DevOps. One of the challenges is that every DevOps program is a snowflake. George Spafford, one of the authors of the popular DevOps book, the Phoenix Project, once said, “Ask five different people to define DevOps and you get seven different answers.”
Gartner has a definition of DevOps, using insider terms that may not be accessible to those unfamiliar with agile development methods. There is resistance to defining DevOps, because an industry-wide standard would be counter-intuitive to the goal of implementing it in a way that best fits each company to achieve the business results needed.
Therefore, without a standard definition, it is helpful to understand the history. Agile development was created due to pressure from businesses to innovate faster. The release velocity of development, though, can only be as fast as infrastructure and operations allows. So the pressure for development and operations to work more collaboratively is the impetus for DevOps.
As a grass-roots movement, while there is continuing debate about the definition, there does seem to be a growing consensus that DevOps supports these big principles:
• DevOps exists to help the business win
• The scope is broad, but centered on IT
• The foundations are in Agile and Lean
• (Collaborative) culture is important
• Feedback is fuel for innovation
• Automation helps
Ultimately, DevOps is about a collaborative, agile approach to solving business problems or seizing business opportunities with information technology.
How does DevOps intersect with security?
If DevOps is being used in your organization, here are ways that security can support the effort using the six principles listed above:
1. DevOps exists to help the business win – Security has the reputation of being the “department of no”. While mitigating risk through policy will remain an important component of information security, business requirements must be an equal contributor to those policies rather than based in security practices only. Instead of operating as two opposing attorneys who each advocate for their position, the business must be informed of risks, and sign off on them while, in collaboration, security must consider foremost how to help enable the business to compete.
2. The scope is broad, but centered on IT – In order for the business to win in a world being transformed by digitalization (think about what Uber has been doing to the taxi industry), IT stands at the center of this transformation. But it does not stand alone. An alignment of company effort with HR, finance, operations and even external suppliers is necessary. Information security should continuously seek to make their interactions as frictionless as possible, within the risk tolerance and regulatory requirements of the business.
3. The foundations are in Agile and Lean – Understanding the Agile manifesto and lean principles, taken from manufacturing operations at Toyota, will go a long way towards helping security professionals join in on DevOps. Security must align to efforts towards continuous integration/delivery/deployment and offer proactive means of eliminating constraints (such as time waiting on approvals) in the software supply chain.
4. Culture is very important – One of the most critical differences between DevOps and what has come before is the emphasis on collaboration. This is a cultural mindset of sharing common goals to achieve and measurements that represent business rather than technical outcomes. Security must join in collaborative efforts to reduce risk rather than acting as disassociated critics.
5. Feedback is fuel for innovation – Experimentation and learning is important to DevOps, and these require sufficient feedback, especially from the business. That feedback needs to be exposed to everyone so that improvement and greater innovation can be made, but it requires things like “blameless postmortems” to improve the system. Security culture must avoid being a blame culture in DevOps.
6. Automation helps – Automation brings the advantages of faster and more consistent delivery with higher quality. Tools are a force multiplier for DevOps, but aren’t the foundation. Automation can’t force collaboration, but it does make it easier. Security tools to test, certify or monitor should be included in the tool chain for DevOps, and their output shared broadly for the sake of improvement.
2017 is the year for information security teams to align to the work being done in DevOps – whether you call it DevSecOps or not, to be a better partner to both the business and the rest of IT. Your business is depending on that ability to seize opportunities and stand up to the pressures of digitalization by innovating faster while lowering risk.