Now more than ever, development teams feel the pressure to release products, software, and apps at a rapid pace to keep up with the ultra-competitive market. And while security remains top-of-mind, lingering perceptions that security slows down processes and delays releases mean that a culture of collaboration and cooperation still does not exist between security and DevOps teams. For organizations to succeed while limiting exposure to attacks, leaders need to build a culture that bridges this gap.
Security, unfortunately, remains an afterthought in many organizations, with the vast majority of developers (81%) admitting to knowingly shipping vulnerable code. But with cyber attacks on the rise, there’s greater urgency than ever to bridge the divide between teams. This shift requires fostering a culture of collaboration across the organization, particularly between DevOps and security teams, to ensure that security is integrated into every stage of the development lifecycle. Here are three strategies:
Eliminate silos from the top down
The relationship between the chief information security officer (CISO) and the chief technology officer (CTO has become critical for collaboration to succeed. Leadership must foster a culture of security awareness and prioritize cybersecurity as an important component of an organization's strategic objectives. Their cooperation can bridge the gap between security priorities and technological advancements. By working closely together, CISOs and CTOs can reinforce the cultural and mindset shift towards DevSecOps. For example, organizing joint training sessions to educate both teams on the principles and practices of DevSecOps helps to foster a mutual understanding and respect for each other's roles.
They can also support collaboration between the two teams by investing in tools that support both security and DevOps processes, such as integrated development environments (IDEs) with security plug-ins, automated security testing tools, and continuous integration/continuous deployment (CI/CD) platforms with built-in security features. By investing in the right tools that integrate seamlessly into the DevOps pipeline, friction between tools is reduced. By championing cybersecurity initiatives and allocating necessary resources, leadership can drive a proactive approach to security across all departments.
Establish trust between teams
Lack of trust between security and DevOps has become one of the biggest barriers to effective cooperation between the two departments. Security teams are too often perceived as the department of “no” – imposing restrictions without considering the functionality of the work DevOps teams do. DevOps teams, on the other hand, view security as an obstacle to innovation and efficiency, which stops them from engaging security teams in the process.
To overcome these challenges, focus on building trust and nurturing connections between the teams. Establish consistent meetings, joint workshops, and cross-functional training sessions so both teams understand each other’s perspectives and constraints. This facilitates a shared understanding of objectives and priorities, allowing for more informed decision-making and improving overall security posture.
Balance risk management, together
While it’s essential to mitigate risks, it’s also important to recognize that eliminating risk all together is neither practical nor feasible. Effective risk management requires identifying and prioritizing risks based on their potential impact on the business. That’s why ongoing communication and collaboration between security and DevOps teams is important: so they can work together to assess risks, make informed decisions, and implement appropriate mitigations.
When security teams are part of the process, they can identify potential vulnerabilities early in the development cycle and evaluate their impact on the business. Regular meetings and updates between security and development teams ensure both teams are aware of potential risks and let them put a plan in place to determine which risks to address immediately and which to monitor over time. This joint effort allows for a more comprehensive understanding of the risk landscape, enabling teams to prioritize risks based on their severity and likelihood.
The concept of shifting left has gained significant traction in recent years as organizations seek to integrate security measures earlier in the development lifecycle. While this approach represents a positive step toward more secure coding practices, cooperation and collaboration between security and DevOps teams still falls short. Doing this requires encouraging open dialogue, shared responsibility, and mutual understanding of each team's goals and challenges. By doing so, organizations can ensure that security becomes an integral part of the development process that leads to more robust and secure products, not a mere afterthought.
Chris Wood, principal application security SME, Immersive Labs