Creating a cultural foundation for DevSecOps

In today's software development landscape, seamless integration of security practices is an absolute must-have for every organization. That’s why teams see DevSecOps as a key solution because it embeds security into the entire development lifecycle and creates a culture of security awareness and collaboration. 

But to create a cultural foundation for DevSecOps in your organization, there are 3 subjects you must understand and implement immediately to succeed:

• Gathering C-level support, which involves understanding who your security is, who your priorities are, and how to approach them.
• Seamless experiences, which focus on leaning into what your developers want, and the next 5 years of security in DevOps tooling.
• Moving left (and dragging culture with you), which helps identify cultural weaknesses, elevate security champions, and understand how to shape culture itself.

In this blog, I’ll explore these 3 subjects in depth and discuss their challenges and strategies.

Gathering C-level support

Seeing the process of gathering C-level support as a game of chess can offer great insights, with each C-level executive representing a distinct chess piece. So let's examine the role of each piece:

CEO (Chief Executive Officer)

Seeking C-level support is vital for mastering your DevSecOps journey, and the more C-level executives you have to back you, the higher you go up the organizational ladder, with backing from the CEO being the most elusive piece to acquire. As a technical security expert, it's only natural to have a narrow focus on things. But the CEO's perspective stretches the whole organization, and security should be added to their radar. Security and DevOps will flourish without barriers only when you gain the CEO's support.

Here’s my advice to anyone looking to talk about security to their CEOs:

1. Talk about the big picture.
2. Discuss any points you would use to convince other C-level members.
3. Lean into the idea of excellence and keeping pace with (or outpacing) the competition.

CTO (Chief Technology Officer)

The CTO is a power piece in the organization and is directly invested in cybersecurity due to its proximity to technology. Talk about the actual technology with them; they can dig into the core of your discussion. The next 5 years are vital as most C-level members are very forward-focused. But the great thing about security is that you can see the evolution of security as it progresses.

When discussing vulnerabilities and security with others, focusing on the positive aspects is essential rather than relying on the strategy of fear. Every year, the exponential vulnerability improvements make the next 5 critical for leveraging security advancements. So instead of dwelling on mistakes and high-profile breaches like the Lock4J vulnerability, focus on emphasizing success and forward progress. Positivity encourages proactive measures and paves the way to success in security.

CISO (Chief Information Security Officer)

CISOs play a key role in the DevSecOps puzzle. Without incorporating security into DevOps practices (DevSecOps), there's a risk of leaving security behind, a major concern for CISOs. Thankfully, they’re more attuned to present security challenges, making it easier to discuss current concerns and address immediate issues. A forward-thinking CISO should already be considering advancements in security for the years to come.

By discussing future security trends and technologies, you can align your DevSecOps efforts with their vision and ensure a proactive and robust security approach. Collaborating with the CISO also ensures security remains an integral part of the DevOps process and minimizes risks associated with neglecting security in the development lifecycle.

CMO (Chief Marketing Officer)

Involving the CMO may come as a surprise, but they can play a significant role in supporting cybersecurity initiatives. After all, security coverage in the news is a major technology trend and a part of business continuity. As marketing deals with the company's existence as a business, aligning security with marketing efforts can be beneficial as it helps showcase the company's commitment to security and can positively impact branding efforts. Though not a top priority, the CMO can be an effective ally when approached with the right perspective.

Seamless experiences

Creating a seamless experience for developers is crucial in the realm of DevSecOps. Developers want to focus on coding and not be burdened with additional responsibilities like operations and security. When developers can concentrate on their core tasks, they become subject matter experts and experience a deeper sense of fulfillment. Fragmenting their time with multiple roles only leads to burnout and frustration.

To foster a seamless experience for your developers, consider the following targets:

• Low overhead: Aim for one-click installations or one-click activation of security features. Minimize the complexity of tools and processes to reduce the burden on developers.
• Leader of the pack: Stay ahead in security rather than becoming obsolete. Out-of-date security tools won't protect your organization effectively.
• Software bill of materials: Beyond listing dependencies, ensure the tools add value and meaning to the security process.
• Invisible until alert: Security tools should operate seamlessly in the background, only becoming visible when security issues arise.
• Follow wherever they go: Be adaptable and flexible to support emerging trends and technologies like cloud computing.

Moving left (and dragging culture with you)

To successfully move towards shifting left and building a security-focused culture, I would recommend you undertake these three key steps:

1. Sharing knowledge: Avoid self-siloing in security and actively promote knowledge sharing across the organization. Knowledge–sharing sessions should include security experts and individuals who are not security professionals. Understanding the perspectives and journeys of developers and operations teams in adopting security is crucial for effective implementation.
2. Open yourself as a mentor: Be open and approachable as a security professional, offering guidance and support to developers and teams. Avoid the traditional approach of late-stage security feedback, which can lead to resistance and antagonism. Developers can seek help and advice by being present throughout the process, resulting in a more positive security culture.
3. Finding security champions: Identify individuals within the organization with a genuine interest in security and become your champions. These individuals may be scattered across different teams, including developers, operations, and HR. Cultivate their passion for security, leverage their influence, and empower them to advocate for security best practices.

For DevSecOps, having security champions within your team is a crucial point to understand. Security champions can help you navigate minor security operations and work effectively with small groups. They can take different forms: some may be your supporters, seeking your insights and guidance, while others may question everything, even bothering you throughout the day. However, these security champions are essential to win over and get on your side, as they become a valuable resource for security knowledge and can help deflect questions and handle issues.

Closing thoughts

Fostering a culture of community responsibility is vital in DevSecOps. Security isn’t just the responsibility of security experts; it's incumbent on everyone to be involved. Encourage security training, build internal communities to share knowledge, and be available to answer questions and provide guidance. By promoting openness and encouraging questions, you can avoid reluctance and create a culture where security and development work hand in hand.