When DevOps Isn’t Enough

The DevOps approach can accomplish many things, but can it help make your business more cybersecure? I don’t believe so. In fact, the notion of “DevSecOps”—making its way to an IT buzzword bingo card near you—could in fact jeopardise informational security across the organisational surface. The best way to boost security is to build a central team responsible for baking it into the development process from start to finish.

More than just an attitude

DevOps brings various strengths to the development process, from agility of design to greater buy-in and collaboration across varied skill sets that would traditionally compete with, rather than work with, one another. But at the end of the day, DevOps is an attitude—and attitude alone can’t stop highly sophisticated, active security threats. That takes raw technical depth of the sort only specialised cybersecurity professionals possess.

Sure, that attitude makes for faster responses and greater willingness to change up strategy when things don’t work. This is, in most instances, a good thing—and one cybersecurity teams can learn from. But without a critical mass of expertise to back up that responsiveness, you won’t find an effective response, no matter how quickly you can adapt. In fact, that pace of change may jeopardise any hope of a cohesive, coordinated response to more significant or pressing security threats.

Let’s take an example from pop culture. The Avengers—Earth’s mightiest heroes—do a pretty good job of representing the DevOps attitude in how they operate. They bring together a bunch of different skill sets and, despite periodic clashes in personality and values, find the best solution with what is essentially an iterative approach to design: “If it doesn’t work, we try something else.” This is all well and good—until a Thanos-sized threat comes along. When that happens, even the best teamwork won’t be enough.

DevSecOps, assemble...?

Why not incorporate those security professionals into the DevOps process? At first glance, doing so makes sense. Security, much like operations, then has a say in the ongoing developmental process and can help developers pivot around whatever security issues they might face over time.

But dig a little deeper, and you’ll realise this strategy overlooks one of the fundamental principles of cybersecurity: The whole is stronger than the sum of its parts. A single cybersecurity expert only knows so much and can only handle so many threats at one time. Combining the powers of different experts, however, makes for a far more comprehensive and capable force that can handle threats, even when they evolve or display previously unexperienced behaviour.

A more productive approach, then, would be to do as most organisations currently do now—maintain centralised cybersecurity functions within the business—but with a slightly different mindset concerning their deployment. In many cases, cybersecurity teams still own a relatively small remit: keeping infrastructure under protection, making sure marketing isn’t spinning up weird apps on their cloud, that sort of thing. Instead, IT leaders would do well to reframe cybersecurity teams as “consultants”: applying their expertise to each of the various projects that the organisation runs in an advisory and technical context. In the same way that projects end up “passing through legal”, they should also be “passing through cybersecurity”—except that should ideally happen at the planning stage, avoiding the need to undo work and rewrite code as much as possible.

With DevOps, but not of it

Those teams will interact with DevOps in a slightly different fashion from how, say, operations personnel do. For one, cybersecurity teams need authority—to enforce good governance and sanitisation without everyone having to agree on it first. Cybersecurity will also provide assurance: not in the sense of saying, “It’ll be okay!”, but in vetting and reviewing DevOps code, data, and workflows to ensure they meet enterprise-wide security protocols. Finally, the cybersecurity function should also continue to operate with autonomy when it comes to maintaining the products of the DevOps cycle, from upgrading and patching of systems to pen-testing new apps or features when they feel the need.

If DevOps looks like the Avengers, the cybersecurity team most resembles Captain Marvel: a combination of powerful competencies in the one body that, while engaged with the DevOps process, isn’t a “part” of it, so much as an external force giving it strength and foundation. Like Kree-human hybrids, cybersecurity skills are already in short supply. Let’s make sure when we do deploy them, we do so in a way that doesn’t dilute them, but instead maximises them—so DevOps can achieve their goals with as much backing as possible.