Who are the Star Players on Your DevSecOps Team?
DevSecOps is a practice that integrates security into DevOps. It emphasizes a continuous process in which development, security, and operations collaborate and work to not only innovate and push code, but also ensure security is built in throughout.
For a DevSecOps program to get off the ground and succeed for the long term, you need the right people within the organization to help enable its mission and goals. That is not always an easy task. Dev and Security teams often have different objectives. Dev wants to move fast. Security wants to slow down and ensure there are no risky vulnerabilities in the code that Dev is creating. Bringing these groups together requires a combination of new strategy, investment in tools, and cultural changes within the organization.
So, who are the key players that help bring this all together? It can vary, depending on the size of the organization and its goals. But in general, the following are key roles for helping to build and maintain a strong DevSecOps program.
The Chief Information Security Officer (CISO)
The CISO, as the senior executive in charge of cybersecurity for the entire organization, is a major player for any DevSecOps initiative. The mission of CISOs and their security teams is to reduce risk and enhance security at their organizations. A great way to do this is to shift more security resources toward the beginning of the development process, rather than spending even more on security later in the process, or after a major weakness has been discovered.
CISOs need to become strategic partners with staff on the development side, including software developers and others responsible for driving innovation in the organization.
The Security Champion
DevSecOps often can benefit from a designated security champion. This person is often someone from the Dev side with a demonstrated interest in security who wants to advocate for more secure code practices among their team.
In order to put a champion in place, organizations should launch a security champion program and identify someone (or several people) within their team who has a strong interest in risk mitigation to serve as a liaison between the Dev and Sec components. This person would champion the cause of building security into code and would strive to get Dev to buy into the concept.
The security champion should work closely with the CISO, other executives, and the security team to generate support and execute security programs as part of the development process. In some cases it might make sense to have one security champion (perhaps a high-level manager) work at the executive level and another (possibly a developer) work at the developer level, to ensure that security is getting attention throughout the development chain.
The Developers
Developers are the people who actually create the software that helps drive innovation for organizations. They are, of course, among the key players in the development process.
They also need to be contributors to the mission of enhancing security. And in this they play a major role because they are the ones who create code, which can be the source of vulnerabilities that enable cybercriminals to launch attacks.
One of the challenges for organizations is to break down any existing silos or barriers that keep developers and security teams apart and in somewhat opposing camps. Silos can create friction, slow the pace of software development, and hinder software product security efforts.
The Security Team
In addition to the CISO, DevSecOps teams should include members of the cybersecurity team, including managers responsible for ensuring that processes move along smoothly.
Just as with developers, oftentimes there is a natural divide between the development function and the security function. This divide needs to be eliminated if DevSecOps is to be successful. Security and development can work together by defining their shared goals and creating metrics to help improve outcomes for both sides.
All Together Now: Dev and Sec Working Toward DevSecOps
DevSecOps isn’t just a program. It is really a culture within an organization. Identifying the right “star” players on your DevSecOps team will help to get everyone on the same page so security is baked into the process of development – and vulnerabilities are discovered earlier and more efficiently.
