3 Ways Security Leaders Can Work With DevOps to Build a Culture of Security

Learn how your organization can boost security efforts by eliminating the disconnect between Security and DevOps teams.

Establishing a strong security culture that bridges the gap between DevOps and security is one of the greatest challenges that CISOs and other security leaders face.

Because apps and digital services drive business growth and competitiveness, DevOps teams must develop and deploy software quickly and frequently. With businesses prioritizing agility over security, security often gets overlooked, creating opportunities for cybercriminals to attack. Just last year, 40-plus billion records were exposed as a result of data breaches. Now more than ever, organizations must establish a strong security culture that unites DevOps and security teams.

However, CISOs often find that this isn’t as simple as it sounds. Why? DevOps teams’ priority is to work diligently to get software and products developed and into production as fast as possible. Meanwhile, security teams focus on identifying and eliminating threats. Thus, a disconnect often exists between these teams as DevOps generally views security as a hindrance.

How can CISOs overcome this disconnect?

Although there is no one panacea, here are 3 ways CISOs and security leaders can work with DevOps to build a culture of security.

Step 1. Assess your current security culture

What does your current security culture look like?

Start by conducting one-on-one interviews with key DevOps stakeholders and fielding internal surveys to larger groups of employees. This assessment will help you identify areas for improvement and new opportunities. Additionally, it can help you understand how your DevOps counterparts perceive security efforts, so you can identify and prioritize pressing issues.

During an assessment, security leaders should ask themselves:

1. How does my DevOps team perceive their roles and responsibilities with regard to building secure software?
2. Is anyone in DevOps behaving in a way that makes them an easy target for cybercriminals?
3. How does the DevOps team protect sensitive data and workloads in the cloud?
4. Are there opportunities for improvement?

A thorough and honest assessment provides security leaders with the insight and visibility needed to strengthen areas of weakness, such as outdated software and policies, compliance issues, security misconfigurations, communication challenges, organizational silos and human errors. During the assessment, don’t forget to gather information about security incidents and feedback from employees.

By assessing your current security culture, you will identify and understand your team’s attitudes and behaviors towards security and empower them to become security champions that help build a strong security culture.

Step 2. Create an effective change management plan

Now that you have identified what your current security culture looks like in addition to opportunities for growth and improvement, the next step is creating a change management plan.

How can CISOs overcome DevOps teams’ reluctance and resistance to change, and get them to embrace new cyber security attitudes and behaviors?

For starters, they must offer DevOps teams the proper resources, tools, education and training. This is key for giving them the necessary skills to defend against and respond to cyberattacks. Here are some tips for effective cybersecurity training for DevOps teams:

1. Encourage them to stay vigilant and adopt a security-first approach to DevOps.
2. Promote education and awareness about security best practices such as shifting left and automation to help them identify vulnerabilities and eliminate risks throughout the software development lifecycle.
3. Enforce security from the top down and educate them on security ownership and shared responsibility.
4. Reward them and celebrate team wins to inspire and empower them. 

Developing a detailed plan for leadership and identifying roadblocks ahead is the first step in change management. Once your plan is developed, share it with DevOps leaders and team members to rally them behind the cause. Ensure that they understand the problems and challenges that they face and “why” things need to change.

Remember, change doesn't happen overnight. Transparency and trust are key. Change comes slowly with repetition. By fostering a collaborative culture, DevOps can learn how to better collaborate with security teams and share best practices, tools and techniques to improve their workflows and strengthen their security culture.

Step 3. Integrate security into DevOps with the right DevSecOps tools

Motivating DevOps teams to be “passionate” about security is much easier said than done, but having the right tools in place significantly improves how DevOps and security teams communicate and collaborate.

Traditionally, DevOps and security teams have been siloed, operating independently, which ultimately creates a cultural divide between the two. Always working under time pressure, DevOps teams are often “too busy” to worry about security and see security as an obstacle that slows down the development process, negatively impacting their time to market, efficiency and agility. Additionally, the processes and tools that security teams have tried to impose have left developers frustrated, with the general consensus that security teams do not “understand” the development process, and that their expectations do not align with DevOps teams’ reality.

By contrast, security teams view themselves as the guardians and enforcers of security and find DevOps to be rather apathetic in regard to security. They believe that DevOps teams choose to ignore their guidance and requirements. Consequently, security teams have also found themselves frustrated while scanning code that’s insecure at the final stages of the software pipeline, which generally resulted in two outcomes: the insecure code’s deployment getting delayed or canceled, or worse, the insecure code being released as-is, providing a pathway for cybercriminals to attack.

The lack of understanding between the two teams has created tension and a blame culture, making it difficult for them to collaborate effectively and for organizations to build a culture of security.

However, security leaders can create environments where developers, operations and security teams are heavily integrated and all share the responsibility of security. In these organizations, security is no longer the sole responsibility of the security team. Instead, developers become part of the security solution, spawning movements such as shift-left, “the application of security controls as early in the software development life cycle (SDLC).”

These CISOs and security leaders are implementing a DevSecOps approach which fosters collaboration between DevOps and security teams. A key success element is to provide DevOps teams with the right DevSecOps tools.

The right kind of DevSecOps tools should be “developer-friendly.” They are intuitive, simple, automated and integrated with developers’ tools. For example, tools such as Static Application Security Testing Tool (SAST), Dynamic Application Security Testing Tools (DAST), and Software Composition Analysis Tools (SCA) work well for developers by helping them write more secure code.

According to CSO Online, SAST tools “analyze source codes of programs and applications while they are still under development” while DAST tools are deployed after the completion of a program, “acting as an outside tester to hack a program and look for potential vulnerabilities to exploit”. Additionally, these tools do not slow developers down and allow code errors to be detected before they make it into production, helping developers adopt a “shift left” approach. By deploying both SAST and DAST tools, DevOps teams can better protect their applications against threats and therefore decrease risks.

Software Composition Analysis tools analyze open source code, which can often make up 90% or more of an application’s code base. Open source code can contain vulnerabilities and misconfigurations, so it’s critical for DevOps teams to check any open source component for security flaws before incorporating it into their applications.

Furthermore, security leaders can work with teams to survey the best tools that promote security in an agile environment. This not only makes it easier for developers to write more secure code but also empowers them to prioritize security as they can leverage automated security tools to identify risks and vulnerabilities in real-time.

Building a strong security culture requires an all-hands approach to security that simultaneously promotes a collaborative culture. Through this methodology, development and security teams can learn to work together to prioritize security by embracing the concept of DevSecOps with the right tools in place.

Make the change

Building a culture of security is a continual team effort but it starts at the top with leadership. Security leaders must invest in a security strategy and continue to promote security awareness to their teams.

Treating security as a priority and shared responsibility is key to enabling DevSecOps success and building a strong security culture. Implementing a DevSecOps approach means everyone has a responsibility or a role in building a security culture, therefore all teams can be held accountable. Additionally, DevOps teams can have better clarity surrounding their roles, responsibilities and expectations when it comes to security.

Overall, creating a strong security culture means embracing cultural change and working towards improving the various attitudes and mindsets through change management, awareness, education, training and understanding. Once security leaders have taken the appropriate steps to build and reinforce their security culture, they can make the changes to move their organization and teams forward in the right direction and establish a strong culture of security.

Learn More

• Read the blog: What is IaC? Why Does It Matter to the CISO?          
• Download the Ebook: How to Choose a Modern CSPM Tool to Reduce Your Cloud Infrastructure Risk 
• To learn more about our capabilities, visit the Tenable.cs Product Page