All types of organizations are embracing DevOps as a way to deliver work quickly and reliably. However, security sometimes falls by the wayside in favor of the desire to move fast. In fact, a recent Threat Stack survey shows that 52% of companies admit to sacrificing security for speed.
As a result, Security, Development, and Operations teams often remain deeply siloed, causing security to be treated as an afterthought and placing teams in constant “reactive mode” — which exposes the organization to unnecessary risk. Our recent survey of Development, Operations, and Security professionals spells out a few of the key issues:
- Security is siloed. At 38% of organizations, security is a completely separate team that is only brought in when needed.
- Developers can’t code securely. 44% of developers aren’t trained to code securely. Without this basic ability, code is often written without security in mind, and this causes security to become a disruptive bottleneck when it must inevitably step in and intervene.
- Operations doesn’t have security training. 42% of operations staff admit that they are not trained in basic security practices — meaning they can’t configure servers securely, and they do not see deploying securely as part of the configuration management process.
Ultimately, people and processes make up the foundation of every business transformation. SecOps is no different. Change can be difficult, but operationalizing cloud infrastructure security can help you reduce security incidents, ensure compliance, and innovate without sacrificing security or speed.
Below, we’ll walk through three of the cultural changes that need to take place at your organization to encourage people to embrace SecOps as they pursue innovation, speed, and scale.
Hack #1 – Create a Cultural Contract
“Cultural contracts” get everyone on the same page in terms of how team members should communicate and work together.
As an example, at Threat Stack, we believe that everyone must be willing to lend a hand to their coworkers when they need help — even if they are not a subject matter expert or didn’t write the code that caused problems.
To create a cultural contract of your own, meet with your team members to define the principles you’ll operate by and determine how each team member’s role can best be used.
Here just are a few questions you can ask your team at this meeting:
- How do we expect team members to help one another?
- How will we ensure that other team members are in alignment with our decisions?
- How do we establish common goals that everyone can work toward?
- What is each team member’s role in ensuring that the contract is followed?
- Where are our teams not seeing eye-to-eye?
- How do we currently resolve conflicts?
Hack #2 – Break Down Physical Boundaries
Experts say that 40–60% of all workplace interactions — including face-to-face and digital — happen with people who sit near you.
For this reason, consider seating Security and Operations people close to one another. This will encourage collaboration between teams that might not otherwise exist. When you do this, people will naturally begin asking each other questions about how they do their work. A collaborative or integrated floor plan makes it easier to understand how work gets done on each team, or even how each team defines “done.”
There is another benefit to this approach: If there’s a problem, people can easily get together to solve it — without having to overcome an “us and them” mentality, closed-door meetings, or the assigning of blame. Ideally, such a simple change can lead to a more unified security strategy across the Security and Operations organization over time.
Hack #3 – Break Down Ideological Boundaries
Try to understand how each team does its job by removing barriers to trust and replacing them with more collaborative, secure Operations practices. Explain that siloed operations can lead to negative compliance and security issues throughout the organization.
Instead, create a plan that will promote a proactive approach to security — rather than a reactive, ad hoc way of doing business. Try to build these practices in as new employees are onboarded. Measure and reward successes together as a team. With an approach like this, security will become an ingrained part of everything you do instead of an isolated, inefficient, and disruptive afterthought.
Final Words . . .
Hopefully, the recommendations outlined in this post will help your organization achieve better alignment and integration. To implement these culture hacks systematically, we recommend that you build them into a plan that includes milestones and timelines for achieving integration. Beyond this, we recommend establishing KPIs so you can measure the effectiveness of your new SecOps program, and make continual process improvements that will reduce security incidents — without undermining your organization’s speed and ability to innovate.
To learn more, download our latest guide: The SecOps Playbook for Cloud Infrastructure, Part II: Practitioner’s Guide for Security & Operations Teams.
SecOps for Cloud Infrastructure
Integrate security best practices into DevOps without sacrificing speed or security.