DevOps, but secure

Does it really make sense to merge the two silos of development and operations with the hermetic world of security to create an agile organization? Doesn't that mean slowing down the agile momentum of DevOps right away?

Admittedly, as the CTO of an IT service provider, I understand questions like these all too well. After all, digitization is all about fast results. Systems that can be introduced quickly and operated efficiently.

But what's the point if development seems to be completed in record time, but the product then fails safety tests? Experience shows: In addition to high costs and missed revenue opportunities, such a DevOps approach that fails too late also damages the agile strategy behind it.

It is true that the agile organization makes it difficult to establish development, security and operations as a whole right from the start. Security problems nip many a hopeful development in the bud.

But here, too, it is important to see early failure as an opportunity that can save expensive bad investments. So the question is not whether DevOps will become DevSecOps, but how it can succeed.

The obstacles on the way to a DevSecOps organization are hardly any different from those that any DevOps approach has to contend with anyway: In addition to the silo structure, which can be changed by organizational measures, it is the entrenched silo culture that lives on in people's minds.

The contrasts between "creative but chaotic" developers and "uncompromising, pedantic" security experts are even more apparent here than in the interaction between development and operations.

The good news for all involved: Understanding is possible! In fact, experience shows that team-oriented collaboration between developers, administrators and security experts produces better results faster and is more fun at the same time.

The most important task in implementing a DevSecOps structure lies with the top management. It must establish culture brokers who want change, find like-minded people and can inspire others to do so.

First of all, therefore, an open exchange within the existing framework is necessary that does not shy away from confrontation between forces that insist and those that want to change. This is where the actors can be found, who together develop structures of mutual adaptation and connection. In concrete terms, it is a matter of asking questions.

Not to get the "right" answers, but to get the discourse going: How can IT and business work together to improve existing processes and create new ones? What do the previous silos need to know about each other for this? How can we achieve more faster with DevSecOps?

Diversity in the team is a key to successful agile organizations. But how do interdisciplinary teams operate when for years each department has worked for itself? Despite all the commitments to security by design, development and security are still two worlds apart in most companies today.

In merging these worlds into an agile organization, the following practical steps have proven successful in NTT Data DevSecOps projects worldwide:

• Install Security Champion program
• Safe development is more fun
• Allow specialists for development and safety to observe in the respective other department
• Getting to know each other promotes understanding of the common task
• Provide training opportunities
• People want to learn - learning together promotes joint success
• Shape the relationship between IT and business fairly
• With increasing digitization, the old division into IT as supplier and business as customer no longer fits
• Set common goals, which includes allowing DevSecOps teams to make decisions together.