The fast and disruptive nature of today’s business cycles means that IT and security leaders must incorporate agile processes in order to remain competitive and close the widening gap between development velocity and current security approaches. However, the reality is that many organisations still haven't (fully) adopted Agile methodology, and many are still only partially there with what is sometimes coined as ‘Wagile' (Waterfall-Agile). Transitioning to agile means to first outline a core set of principles for development and fostering a cross-functional collaborative environment by removing hard boundaries of teams. This initial activity sets the stage for both continued digital transformation, and more importantly, cultural evolution and adoption of DevSecOps.
Technology has permeated literally all areas of business and the term “digital transformation” is ubiquitous. As a result of this, we’re in an application economy, which means that software developers possess much more influence over many decisions in the enterprise. In fact, in a book by Redmonk co-founder Stephen O’Grady entitled, The New Kingmakers, the effect that technology has had on business and the power that developers wield in the enterprise is discussed at length. O’Grady believes that “Developers are the most-important constituency in technology. They have the power to make or break businesses, whether by their preferences, their passions, or their own products.”
But with power comes great responsibility and there also needs to be a level of accountability to balance out that power to some degree. Unfortunately, the security aspects of that responsibility tend to be an afterthought, or worse yet, completely neglected until it’s too late.
The reason for this is two-fold. First, security teams are not aligned organisationally with the development and infrastructure teams, so they are typically always behind when it comes to testing application updates and deployments. Culturally they are often viewed as an impediment to productivity and velocity, and the “Department of No”. Second, the security product and tool sector is extremely fragmented and there is a plethora of disparate point-solution tools instead of comprehensive platforms that seamlessly embed into the software development life cycle and provide a strategic framework to build upon. As a result, static and dynamic security tests are only performed periodically and there is little to no productive collaboration with the development teams.
Instead of taking a holistic, strategic approach to changing this situation, companies often attempt to rapidly inject change by rigidly forcing a transition to an agile development methodology. But this rigidity is the exact opposite of agile. This tactical overreaction often results in the aforementioned ‘Wagile’ methodology implementation, and neglects the time needed to determine the correct set of development values and principles required for a truly agile environment. Also, cultural transformation is an evolutionary process and won’t happen overnight as it’s about “winning hearts and minds”, which requires time to establish mutual respect and understanding. It’s also important to note that any cultural changes need to take into account the current and future business requirements.
The need for cultural transformation
There is no shortage of products and tools in the cybersecurity sector, and while a scale-out approach works well for infrastructure architectures, it’s not an effective approach for improving security resiliency. Each tool is unique in how it is used, and there is no standard, normalised output of results, so there tends to be an inordinate amount of time spent correlating and interpreting the results. Security teams are already short or understaffed, and that’s not projected to improve any time soon. Security testing needs to be completely aligned with the agile development process and seamlessly integrated into the SDLC using automation and orchestration. Continuous improvements in the core tenets of the DevOps culture -- collaboration, automation, measurement, and sharing -- need to be embraced by the security teams, which will transform the culture into what is known as DevSecOps.
The paradigm change that is a large component of DevSecOps is known as “Shifting Left”. Security testing has historically been performed outside of, or to the right of, the software development life cycle and CI/CD pipeline. In order to close the chasm that exists between the development and security teams, the organisational lines need to be blurred and security teams need to be an integrated part of the overall pipeline. Combined with involving the security team as early as possible, CISOs need to take a deep look at how their organisation is composed and understand the need for a strong group of engineers that both have deep security testing and remediation experience, as well as a thorough understanding of the software development process. As part of this organisational change, the CISO needs to establish quality relationships with the VP of Engineering, Head of Infrastructure, and whomever is responsible for the CI/CD toolchain.
CISOs have been articulating a desire for a “seat at the table”, and creating strong cultural bonds is the first step in building consensus and support for that goal. With the VP of Engineering, the CISO should strive to fully understand his/her initiatives and challenges and then find areas where security teams can seamlessly improve security testing and deliver assurance. A similar approach needs to be taken with the Head of Infrastructure. First determine where everything is (on-premises and/or Public Cloud), understand how updates are deployed, and once again, strive to deliver security solutions that increase resiliency. Security leaders need to show the ability to tie their organisations’ efforts to business outcomes and shift away from the “fear, uncertainty, and doubt” messaging. Establishing a “common language” is essential to the longer term success and helps create a strong bond across the teams.
To boil this down, agile development requires a cultural transformation. We’ve all heard the phrase “People, Process, and Technology”, and the latter two are far easier to change than the deep rooted convictions that exist in nearly every company. Collaboration is increased by first assembling a cohesive leadership team, creating clarity of goals, and then continuously communicating those clear goals. Improvements in vulnerability detection, remediation, and resiliency should be measured and shared across teams. Then, and only then, can security truly keep pace with agile development and enable a DevSecOps culture.
Mike Kail is Chief Technology Officer at CYBRIC
Image Credit: Wright Studio / Shutterstock