How Are You Dealing with the Shift to DevSecOps?

About the Author:

Kellye Whitney
Kellye Whitney, is an award-winning writer and editor. The former editor for Chief Learning Officer magazine is now the founder and Chief Creative Officer for Kellye Media, a Chicago-based media coaching, content and consulting company.

How Are You Dealing with the Shift to DevSecOps?

DevSecOps gets a lot of industry attention, but inside most companies the reaction – and adoption – is a bit more muted. DevOps, by comparison, is widely accepted in application development. For instance, 85% of respondents in Deloitte’s 2019 future of cyber survey of C-suite executives with security responsibilities said they use DevOps practices.

DevSecOps, however, is hard on its heels. According to data from Research and Markets, the DevSecOps market is expected to grow from $1.5 billion in 2018 to $5.9 billion by 2023 due to “the growing need for highly secure continuous application delivery and the increased focus on security and compliance.”

The DevSecOps approach, a combination of development, security and operations, prioritizes and integrates security into the software application lifecycle as early as the development phase. This represents a significant paradigm shift for the DevOps community.

The Need for Speed Often Predates Change

Traditionally in application development, the development team with its programming expertise made a product while the server and operating systems savvy operations team deployed it. DevSecOps merged the two teams into one so that everyone has to understand both areas in order to survive in today’s rapid software development environment.

Given DevOps popularity, the momentum is there for DevSecOps adoption, but progress has been slow on an enterprise level in part because it requires a fairly significant philosophical shift. Change can be tough. Companies are used to having an engineering team deal with code – DevOps – and a separate security team handle compliance audits and perform security scans, etc. Merging isn’t always as seamless as the DevSecOps model requires because it calls on DevOps technical talent to understand another set of skills: how to run and analyze security scans.

As is often the case with progress, some professionals will find themselves obsolete without careful career planning and additional training. For instance, security professionals who only know how to run scans will find themselves replaced by talent who can act in a more consultative fashion for DevSecOps teams: identifying best practices and vulnerabilities and then providing expert advice on how to prevent or solve those problems.

But there’s another reason DevSecOps adoption has been slower than it otherwise might have been considering the need for it in the marketplace – there is a lack of skilled talent available to take on DevSecOps roles. Companies looking for – and not finding – this kind of talent will have to develop it themselves. They can’t do without, and they can’t afford to wait until market supply catches up with market demand. Companies need agile, rapid software development as well as strong cybersecurity defense capabilities now.

Train to Build the DevSecOps Talent You Need

The only realistic option to handle this talent/skills gap is to train DevOps people how to integrate vulnerability scanning and insights into the application development process. Initially, there may be some grumbles. Some will want to know why the security team can’t simply do what its always done and conduct the necessary compliance tests, audits and scans. Leaders will have to clarify for them that when a company only releases code every few months, the old set up works fine; there is no need to change. That’s no longer the case, however.

Now teams release new code every week or even every day to keep up with increasingly accelerated development cycles. Calling on the security team in these circumstances takes too long, and in many cases, there may not be enough security talent to handle the workload. Training is the most reasonable option to ensure an organization can efficiently handle fast code deployment.

For anyone who initially rebels against DevSecOps training it might also help to relay some of the other benefits that a move from a traditional DevOps approach to DevSecOps brings. In addition to increased operational efficiency and effectiveness, organizations will find:

·     It’s easier to identify system and application vulnerabilities.

·     Teams are stronger and collaborate better.

·     Security teams are more agile.

·     Tech talent will have more time to focus on more strategic, high-value projects.

·     The environment as a whole will enjoy more transparency.

Conclusion

Today’s increasingly agile software development environment requires change if organizations and the technical talent that support them are to succeed. The shift from DevOps to DevSecOps is one of those changes. It leads to greater ROI, more innovation and a dynamic DevSecOps environment that supports high speed, high level new software development – if organizations start now to prepare their talent for what lies ahead and, in many cases, is already in play.