Improving the Business with DevOps & SecOps Alignment
By Jay Pope
How can security leaders and professionals, effectively communicate security risks to the CEO or C-level managers? We have hopefully progressed from statements such as “Let me explain the risk in technical terms” and learned that the only way to communicate risk at this level is in business terms. Similarly, how can we help our security specialists, perhaps working in an operations team (SecOps) to grasp the same business terms? It’s not at all similar. SecOps typically explain risk in technical terms. Skilful communication here means helping highly technical people to see beyond the purely technical. Finally, how can we encourage our development specialists, working as agile operations staff (DevOps) to communicate their needs with SecOps and other related activities? Funnily enough, it’s the same answer again – it’s all about business needs and priorities.
Take the Tech out of Security
Understanding our audience is a key skill that we have honed over the years. It’s not just about removing the tech, but knowing how and when to replace it, thinking about the audience’s pain points, and what will motivate them. We need them to make the connection between their business goals and security. Are they driven by the deadlines of maintaining time sensitive information persistence across their web services and information exchange partners, or perhaps they are bringing a new innovative product to market? Will they tolerate a higher security risk short-term to bring the product to market sooner? Or are they largely concerned with the bottom line? If we can quantify risk in terms of its financial impact, coupled with how likely it is to happen, we have a credible story. Having gained high-level backing based on business needs, we can build security concerns into development priorities and use them to influence what is developed and how.
Communicating Business Priorities for Development
We need to develop, deliver and operate applications quickly and repeatably, and DevOps efficiency enables this. We need our teams to be agile and to fuse both development and operations disciplines. Designers need to analyse how the system will operate as well as its functional requirements. Security concerns can get lost in the noise. We need to help the business to define its security goals and then make them an integral part of development
We can build currency with the teams by focusing on security improvements that have a positive impact on development. One example is how we build our development environments. We have learned that having a standardised configuration reduces the likelihood of unrepeatable bugs: “it only fails on one server”. DevOps can take this a stage further by turning the development environment build into code. Changes to the build are tracked like any other code change. With the right tools, SecOps can participate here by advising and reviewing the code. As the code evolves, security can be improved progressively. Security verification of the code also provides traceability of build coherence, as well as helping to ensure robust integration of process automation, integrity of step functions and Lambdas, and the secure persistence and sharing of data.
Sometimes SecOps cannot keep up with the speed of development and delivery. They need time to assess applications and the operating environment and may be a brake on change, so we should encourage SecOps to facilitate agreement on what level of risk is acceptable at each stage and improve on that progressively.
A key area where DevOps and SecOps can collaborate is automated testing. We know that automated testing, although seemingly expensive, can progressively improve development. Tests are run as part of continuous integration (CI) and continuous delivery (CD). If we encourage the DevOps team to adopt security and regulatory requirements into their process, we create an opening for SecOps to join in. Each SecOps requirement will be built into the application with SecOps guidance, without unduly slowing development.
Security professionals are accustomed to seeing requirements in terms of documentation – vulnerabilities and regulations. However, it seldom makes sense for SecOps to paraphrase requirements into smaller documents, instead they need to consider their audience. SecOps can communicate much more effectively with DevOps using checklists. Developers can use small lists of bullet points as reminders – how to protect against SQL injection for example – when checking in code.
DevOps efficiency brings with it reproducible and therefore auditable processes. Encouraging DevOps and SecOps to collaborate will bring improvement and alignment. We can ensure that our security requirements are embedded in the application and environment. As well as satisfying business sponsors, this provides evidence for internal or external audit that we are walking the talk on security. Identity management, access control and super-user actions can be audited as well as tested.
It is possible then, for security to keep up with our goals for development of new products and services, but it’s not easy and it does involve assessing priorities. To empower DevOps and SecOps to collaborate, they both need to work from the same set of business priorities.
We need to support SecOps in getting their message across. Firstly, when quantifying risk for business sponsors – expressing risk in business terms – and secondly during development. By facilitating openings where SecOps can achieve their needs as well as genuinely adding value, we can strengthen the bond between them. Finally, we need to encourage SecOps to set realistic objectives which take our businesses in the right direction but in achievable and measurable steps. If SecOps create barriers to development, unwieldy processes and heavy documentation, DevOps will find it challenging to work with them.
Ultimately, achieving business growth is about harnessing the potential of our staff. A strong team is good – it’s an immensely valuable asset and can achieve great things, but we must get it to look outside their area too. An IT Organisation built from strong teams that can agree on common priorities and deliver against them is truly exceptional.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.