In today’s world, DevOps and compliance teams need to work together, not separately
Imagine this: You organized a dinner party weeks ago, promptly forgot about it and just realized tonight’s the night! You have two hours to whip up a gourmet meal for 10 friends. Instead of panicking, you get smart and enlist your kids to form an assembly line. One starts on sides, the other maps out dessert and you begin marinating steaks. All goes well—until the Brussel sprouts burn. Glancing at your watch, you sigh in relief—there’s just enough time to make another batch.
At that moment, your spouse walks in and assesses the situation. The meat is a tad underdone, the veggies could be crispier and the cake is lopsided. You can’t serve this meal! But now your guests are knocking. What do you do?
And more importantly, how does this scenario translate into a genuine business imperative?
The DevOps and Compliance Divide
In many ways, this dinner party dilemma exemplifies the clash between DevOps and compliance teams when it comes to priorities and perspectives.
- The DevOps PoV: Sure, we had a few hiccups along the way, but the end result smells and tastes amazing. Best of all, it’s hot, plated and ready on time for everyone to eat.
- The Compliance PoV: Yes, but the steak is 144°F. It needs to be 145°F to be considered safe. Boiling the veggies instead of steaming them depletes important vitamins from the meal. And both layers of the cake need to be exactly 2 inches tall.
Why the great divide? For starters, their reasons for being are at odds. The DevOps philosophy combines people, processes and tools to empower software developers and speed the delivery of high-quality applications, all while cutting costs. It’s also flexible, iterative and imperfect—experimentation is embraced. Imagine someone saying, “We’ll improve it in the next sprint.”
In contrast, compliance is all about order and uniformity; there aren’t any gray areas. Compliance teams are in place to make sure an organization’s security controls are implemented and monitored consistently. They adhere to a set of rules, mandated by a security framework, government body or customer contractual terms.
Yet in today’s world, these teams need to “cook” together—not separately. And that’s not easy.
Can’t Have One Without the Other
Compliance is a business imperative. Adhering to external regulations and the demands of your customers is of the utmost importance. If you think compliance is extraneous or expensive, try non-compliance. And it’s not just about avoiding millions (or even billions) of dollars in fines. It’s about maintaining trust. According to an IBM study, 53% of consumers say how well businesses protect their data from a cyberattack is “extremely important,” while 64% have opted not to work with a business due to concerns about whether they could keep their data secure. A company’s internal rules and controls are also implemented for good reasons, from instilling accountability to meeting customer requirements. They are not optional.
But neither is DevOps. It’s proven to boost competitive advantage by speeding up software delivery. In fact, high-performing IT teams that implement DevOps practices are more agile, deploying software and changes 46x more frequently with 440x faster lead times than their lower-performing peers. DevOps is also driving digital transformation by streamlining operations, cutting costs, accelerating agility and response, breaking down silos, challenging long-held mindsets, encouraging experimentation and cultivating collaboration, productivity and overall job satisfaction.
2 Cooks in the Kitchen: 5 Steps for Making it Work
So, how can two diametrically opposed “chefs” work in concert to create masterpieces? It’s a question that many CISOs and compliance officers are grappling with …
How do I do my job without standing in the way of DevOps?
To find the answer, they must ask another, broader question …
How do I get complete and continuous visibility of the risks impacting my business?
The only way to do this is to embed automated, transparent risk management into the entire DevOps process. Here’s how to get started:
- Open Up. Compliance and security teams need to be clear about what’s required of DevOps teams. Effective, ongoing communication and granular details will ensure DevOps teams understand their responsibilities and are empowered to do their part. This open line should flow both ways. DevOps teams should be transparent with compliance about their processes, ask lots of questions and understand how their actions will impact the business.
- Get Leadership On Board. Widespread change across people, processes and tools requires support from the top. Executive teams have to believe in it and back it. This will help your organization push through the tough times, convince the cynics and ensure sustained success.
- Make Training a Two-Way Street. Train security teams in DevOps processes—it’s easier to protect what you can understand. And involve security in developer training, from attack “post-mortems” to sharing source code repositories.
- Embed Security from the Start. Most organizations have multiple security scanning tools in place to identify vulnerabilities at different points in the DevOps process. But this often leads to alert overload, security gaps and more questions than answers. Consistent security scanning should be integrated across the software development life cycle and issues should be monitored in a consistent, centralized manner.
- Embrace Automation. This helps organizations understand where vulnerabilities repeat themselves and which ones present the most risk, empowering developers to address real issues quickly so they can get back to business.
Just like perfecting a signature dish, bringing DevOps, security and compliance into alignment takes time. It takes cooperation and patience. All significant organizational shifts do. But by following these steps, you will pave the way for DevSecOps—the holy grail of modern security—to strengthen customer trust and business endurance. Turns out, working together makes things safer and more enjoyable in both the culinary arts and application security.