DevSecOps: How to conquer 3 big culture challenges

Are you building a DevSecOps culture – one that bakes security into development from the start? Learn from your peers about the obstacles and routes to success
841 readers like this.
Leadership CIO with lightbulb

Just about any DevOps shop will hit speed bumps on the path toward continuous learning and improvement.

“Organizations are increasingly adopting DevOps environments in hopes of achieving transformative velocity and innovation,” says Elizabeth Lawler, VP of DevOps security at CyberArk. “But like any new business initiative, this comes with challenges – and in the case of DevOps, it’s often around culture and areas of responsibility.”

Even issues that seem technical in nature are often rooted in people. Take security: It’s as much a matter of culture and areas of responsibility as it is a technology problem, Lawler says. And even high-functioning DevOps teams are encountering challenges making security – and security teams – integral to development.

“One of the biggest areas of friction remains bringing together security and development operations,” Lawler notes.

This friction is driving interest in the DevSecOps approach – and, almost paradoxically, fueling resistance to DevSecOps practice. IT teams face several significant, common cultural challenges with DevSecOps, and while they might manifest in different ways, they’re closely related – often doing their damage in unison.

[ Read DevSecOps: 7 habits of strong security organizations. ]

We’ll identify a trio of these cultural roadblocks below. Then we’ll share strategies from IT leaders and security experts for proactively breaking down these challenges, as a necessary step toward DevSecOps success.

Culture challenge #1: An entrenched view of security as something that happens “later”

“The biggest change in mindset necessary to [create] a mature DevSecOps practice is to understand that security cannot be done as an afterthought,” says Premand Chandrasekaran, VP of software engineering at Barclaycard, a division of the global bank Barclays. “Rather, it requires the attitude that it is built into the continuous delivery pipeline.”

Environments can be spun up and down so quickly these days that their lifespan might be a matter of hours.

It’s a major – and necessary – change, due to the reality of how systems get built and operated today. Tim Jefferson, VP of public cloud at Barracuda Networks, points out that environments can be spun up and down so quickly these days that their lifespan might be a matter of hours. Security as a final step or afterthought is a non-starter.

“With the traditional model, the infrastructure was built, and the security audit was a post-mortem process,” Jefferson says. “Today, DevSecOps professionals are tasked with baking security into architecture as they build, and into the system as it’s deployed.”

Culture challenge #2: An “us-versus-them” mindset

Some of the friction isn’t new: Developers and security pros have often been at loggerheads with one another in the past, notes Meera Rao, senior principal consultant at Synopsys Software Integrity Group.

“The primary cause for this friction is that each team often has its own roadmap, responsibilities, and priorities – and completely different incentives,” Rao says.

Most devs and security practitioners reading this are probably nodding their heads.

“Security teams have long thought that developers were not interested in security,” says Franklin Mosley, senior application security engineer at PagerDuty. “Along those same lines, security teams also thought developers believed that security wasn’t their responsibility.”

Neither is necessarily true, Mosley points out. But the divide can remain evident even in relatively mature DevOps shops – if security remains as a separate entity, it’s effectively siloed, reinforcing an us-versus-them mindset.

Culture challenge #3: The belief that security hinders innovation

This belief has helped fuel the traditional conflict between dev and security teams, but it also speaks to a broader antipathy toward IT security, bred from treating security as an afterthought in the software pipeline. (See? We told you these issues often wreak havoc in unison.) As the demand for faster, more frequent delivery continues to grow, there remains a deep-seated view of security as something that slows everything down – the bane of a modern, transformative IT shop.

“We are all very used to this romantic image of the resourceful developer who codes swiftly and slickly – but not necessarily securely.”

“We are all very used to this romantic image of the resourceful developer who codes swiftly and slickly – but not necessarily securely, because security has been viewed as the antithesis of function,” says Robert Hawk, privacy and security lead at xMatters. “Thus, a big cultural challenge for DevSecOps is to instill order in the face of a legacy of chaos, and somehow accomplish this without hindering innovation.”

This is again both a driving force behind DevSecOps – part of its raison d’etre –  and a fundamental cultural challenge.

“Speed, velocity, and resiliency do not need to be sacrificed in order to be secure and have more stakeholders at the table,” Lawler says.

Five routes to success

The solutions to these cultural problems require equal importance in two areas: Tweaking technical strategy and enabling better collaboration and organizational alignment. Let’s delve into five strategies for doing just that:

 

Kevin Casey writes about technology and business for a variety of publications. He won an Azbee Award, given by the American Society of Business Publication Editors, for his InformationWeek.com story, "Are You Too Old For IT?" He's a former community choice honoree in the Small Business Influencer Awards.