How to build a strong DevSecOps culture: 5 tips

The most secure organizations treat security as a culture, not a step. Here’s how to nurture a DevSecOps culture of your own – and use metrics to gauge success
714 readers like this.
CIO Security

We have a tendency in IT to treat security as fundamentally a technology problem. Hence, we also tend to focus on technology solutions.

Tools and processes do matter: But if you’ll recall our recent look at the seven habits of strong security organizations, the top of the list had nothing explicitly to do with technology: These companies treat security as a culture, not a step.

[ Are you a DevOps job seeker or a hiring manager? Get our free resource: The Ultimate DevOps Hiring Guide. ]

That’s where the very term DevSecOps  – and more importantly, the culture and practices it represents – can begin to make a difference. The mashup of traditional roles and teams reminds teams: Many of our so-called technology issues ultimately boil down to people and how they work together.

A DevSecOps culture suits our increasingly hybrid computing environments, faster and more frequent software delivery, and other demands upon modern IT. That’s one reason why DevSecOps matters to IT leaders. It’s also the hard part: Culture change makes something like replacing an outdated tool look easy.

[ Want expert advice from your peers on leading IT culture change? Get our free eBook, The Open Organization Guide to IT Culture Change. ]

We asked security experts to share advice for sowing the seeds of a strong, sustainable DevSecOps culture. Let’s explore five practical tips:

1. One size DevSecOps does not fit all

A downside of a cultural and methodological shift like DevSecOps (as with its older sibling, DevOps) is people may assume that there’s a single “right” way of doing DevSecOps. Not so.

“Not all organizations are created equal, which is why there’s more than one model to implement DevSecOps,” says Amir Jerbi, CTO and co-founder at Aqua Security. “You can take security staff and embed them into DevOps teams, or you can train up specific developers to become the embedded security experts, or you can create cross-functional teams or task forces – or any combination that works culturally and organizationally.” 

Jerbi notes that each of these setups share a common denominator core to DevSecOps: Identifying and addressing security issues as early as possible. As such, any of them can help foster a strong DevSecOps culture, provided they make good sense for your broader organization and culture.

2. Embrace transparency

If you thought the friction between traditional development and operations silos was bad, well, those teams were practically agile compared with the traditional isolation of security teams.

Pete Cheslock, vice president of technical operations at Threat Stack, notes that siloed security teams remain common, and adds that the issues siloed functional teams cause are often exacerbated by a move to the cloud.

"Everyone in the organization should have skin in the game when it comes to security.”

“Oddly enough, many of these silos are actually created intentionally by the workforce because they think that it makes them more secure. It doesn’t,” Cheslock says. “All these silos really do is create an inability for each team to speak the same language. As a result they have difficulty translating what they do back into people and process.”

As Red Hat security strategist Kristen Newcomer shared with us previously, it doesn’t need to be this way. Getting rid of the longstanding isolation of security teams and using some model that better integrates various roles and responsibilities together, as in Jerbi’s examples above, can yield significant benefits. 

“Both sides [see] the value – each team expands their skill sets and knowledge base, making them more valuable technologists. DevOps done right – or DevSecOps – improves IT security,” notes Newcomer.

A starting point for that healthy culture, according to Sumo Logic CSO George Gerchow, is to mothball the silos and get comfortable with transparency.

“The foundation of a successful DevSecOps culture is total organizational transparency, and that includes all aspects of the IT department – security can no longer be siloed,” Gerchow says.

Growing that culture also depends upon removing unnecessary data silos, too.

“Organizations that are going through digital transformation or building modern-day applications work off the same data through different lenses, bringing everyone together instead of creating silos,” Gerchow explains.

Ignoring all this is a culture killer, says Jason Schmitt, CEO at Aporeto.

“This siloed mindset not only destroys the DevOps culture, but ultimately reduces the security posture of the whole organization,” Schmitt says. “Everyone in the organization should have skin in the game when it comes to security.”

[ Are you speaking the wrong language? See How to talk to normal people about security. ]

3. Invest in developer security education and training 

Most of the experts included here specifically mentioned ongoing education and training for software developers (and related job titles and roles) as a good step toward a healthy DevSecOps culture.

It’s one thing to say that security is everyone’s responsibility; it’s another to arm everyone with the knowledge and tools needed to actually make that so. 

Developers who haven’t previously had to bear much, or any, responsibility for the security of their code can’t suddenly be expected to bring the hardcore security know-how of a white-hat hacker to daily routines. 

But if you invest in developers’ security knowledge and tools, everyone benefits.

“IT leaders must invest in security training for their developers. This can come in the form of code review, short sprints, understanding what libraries are safe to use, or setting up feature flags that will check code carefully, one piece at a time,” Gerchow says. “This way, if something goes wrong, the DevSecOps team can get into the quality assurance mindset of fixing accordingly, with security as a top priority.”

Investing in education and knowledge-sharing can also help eradicate certain DevSecOps culture killers: The mindset that security is someone else’s responsibility is a common one, Jerbi notes. 

 

Kevin Casey writes about technology and business for a variety of publications. He won an Azbee Award, given by the American Society of Business Publication Editors, for his InformationWeek.com story, "Are You Too Old For IT?" He's a former community choice honoree in the Small Business Influencer Awards.