How Efforts to Integrate Cybersecurity with DevOps Fail and How to Address Them

Security is already being integrated into DevOps in the model called DevSecOps. There is a push to shift left to achieve better protection given the evolving nature of cyber threats and the expansion of cyber-attack surfaces. Also, organizations seek to make development and operations more efficient. Instead of implementing security as a separate function, there is consensus to move it into most of the DevOps processes (shift left) to spot potential security issues earlier and address them before a project is finalized.

However, bringing security into DevOps is easier said than done. Organizations should expect serious challenges along the way. The problems can range from administrative concerns to technical difficulties. It is important to explore these to achieve better outcomes in the shift towards DevSecOps.

Difficulty reconciling goals

DevOps teams are created to ensure the rapid development and deployment of projects in order to meet business objectives. They are not necessarily working at breakneck speeds with allowances for quality and reliability compromises. They focus on achieving high levels of efficiency to meet deadlines and deliver the planned outputs with top-notch quality.

Meanwhile, security teams emphasize thoroughness and cautiousness to ensure that a project is free from security issues and other defects that can be exploited by cunning cybercriminals. They seek to produce projects that are free from vulnerabilities, which can lead to a bunch of unwanted consequences including financial losses and reputational damage.

The DevOps and security teams’ goals are not inherently incompatible with each other, but it is difficult to bring them together. Doing continuous security tests during the development process entails more tasks, which results in a longer timeline. It is possible to maintain the pace of DevOps processes but it would mean the recruitment of more members, something not every organization can afford.

Cyber security is an important factor in every project, and it addresses several disciplines. It is not just a single step that can be easily added to a series of complex processes. It needs to be seamlessly integrated across different areas. Plus, all team members involved should be properly oriented and assigned unambiguous responsibilities.

Organizations need to reconcile their security and DevOps goals, and it is not a matter of meeting in the middle. The goals of both teams should be satisfied squarely. To achieve this, it is important for the teams to collaborate closely and share insights on how to proceed with the tasks efficiently. There should also be investments in the right systems and tools like static application security testing (SAST), dynamic application security testing (DAST), security orchestration automation and response (SOAR), and AI-powered tools to automate security scans.

Moreover, it is important to adopt a mindset of continuous improvement. Everyone should be able to freely share their opinions on issues, challenges, and ways to further improve the processes. It is important to make members feel that they are contributors to the system, not mere subordinates who should follow what they are told to do.

Resistance to change

Another crucial obstacle in integrating security into DevOps is the resistance of employees to embrace a new way of doing things. This is completely understandable given the impact of security testing on speed and the complexities in processes that will inevitably arise. Also, there are worries over the possibility of more responsibilities without added pay.

Team members are more likely to embrace change if everything is properly explained to them and they are made a part of the changes that will be implemented. It is important to approach change in a participative manner. This sounds like a piece of advice intended for non-technical corporate settings, but it is also totally applicable to DevOps. Team members should have a say on how security should be integrated especially in the new roles they are set to take.

As one McKinsey study shows, around 70 percent of change programs fail because of employee resistance and the management’s failure to provide support. To address the failure, employees and the management have roles to play. They need to work together to sort out the reasons for resistance and provide suitable solutions.

If the reason is the fear of complexities and the unknown, the management should provide proper training. If the reason is the perception that employees will be doing more without getting paid more, it is crucial to discuss the new arrangement. Communication and collaboration are vital in addressing the resistance to change.

Skills gap

The integration of security into DevOps necessitates new knowledge and skills. It does not make sense to expect the DevOps team to readily know what to do in bringing security into DevOps. Also, even after providing training sessions, the team that mastered efficient development and operations processes to rapidly complete projects cannot be expected to similarly master security integration in a matter of weeks or months. Occasional mistakes and inconsistencies cannot be fully eliminated even after a year.

Organizations should allocate enough resources to support the training of DevOps members and the regular interaction between the DevOps and security teams as they work together toward the seamless integration of security and DevOps. The learning of new skills may not be that difficult but the development of the habit or instinct to be security-conscious takes some time.

Also, organizations need to be ready for the possibility that team members will progress differently as they make security a vital part of the DevOps process. There will be inconsistencies and other problems. Organizations need to be patient and avoid the temptation of giving up after seeing a series of drawbacks. It will take some time to close the skills gap, but it will eventually happen.

Turning failures into success

In summary, efforts to combine security with DevOps can be challenging but not impossible. The seamless integration of security, development, and operations cannot happen overnight or even in a matter of weeks. Organizations need to put in the work, invest in the right tools and systems, and provide adequate training. It is also important to take into account the reality of resistance to change.

The discussion here may not include a lot of technical details. However, it is worth noting that coders or members of DevOps teams are generally (already) masters of the technical aspects, but they may need some guidance when it comes to administrative matters and the systematization of the changes in their processes.