“People are the lifeblood of IT security”

How can you deliver software and IT systems, services and products faster while giving their security aspects the attention they deserve? For a big financial institution like APG, that is no small challenge. In his contribution to the “CISO’s Guide for Implementing DevSecOps in the Enterprise,” published on May 11, APG’s Group Digital Officer Frans van Kessel argues that timing, team empowerment and individual development are essential to successfully addressing this challenge. Prior to publication, we asked him a few questions.

How would you describe DevSecOps?

Van Kessel: “DevOps is the combination of software development - Development - and operational business activities - Operations - in close collaboration between people, processes and technology. That combination is aimed at providing ongoing value to customers. The purpose of DevSecOps is to bridge the security gap between Development and Operations so that software and IT systems, services and products can be delivered faster and more securely. Cybersecurity sometimes tends to be addressed at the end of the development process sometimes. This can delay releases and hinder the benefits of DevOps and the Agile way of working. The idea is that not only security teams pay attention to digital security. Everyone involved in building and maintaining software and IT systems, services and products has a role in this. It is not another team’s job to make your product secure. So show ownership and take responsibility. You build it, you run it, and you secure it end-to-end.”

In your contribution to the book, you talk about the transition from DevOps to DevSecOps. What does that transition look like and what factors do you think are crucial in it?

“I don’t see it so much as a pure transition from one state to another. It is more like just a logical step toward a more secure IT environment. To that end, we are trying to get our people to have a DevSecOps mindset without explicitly naming it. This is a natural, quiet evolution, rather than a transformational revolution. Recognition and integration of cybersecurity as a necessary part of DevOps has led to the term DevSecOps.  Some say that DevOps is necessarily DevSecOps and no new term is needed. But the term makes sense on its own because it refers to a DevOps environment in which a focused integration of security controls has been successfully achieved through collaboration of development, operations and security teams. DevOps and DevSecOps are two sides of the same coin. They are aligned toward the same goal: to deliver value faster and with better security.

For that evolution to succeed, you need the right mindset, organizational culture and governance. It’s important to be open to change. In an environment that meets all those conditions, you can empower teams.”

Can you give an example of an important insight in your contribution to this book?

“The world is becoming increasingly more digital, and to continue to take advantage of its opportunities, security has become incredibly important. Today, security cannot be taken for granted. The increased frequency and impact of recent cyber attacks have highlighted the importance of security. It is no longer just the responsibility and concern of a separate department with dedicated specialists. Everyone in the organization must be mindful of it, including DevOps teams as key units for developing and operating information systems.

This is why we start early in the timeline with security: shift security left, meaning that considerations in this area are integrated into the development process from the beginning, rather than treated as an afterthought. DevSecOps works best when the infusion of security into development and operational activities engages and empowers people.”

How do you ensure people get involved and are able to deal with this greater responsibility?  

“With knowledge sharing, internal security awareness increases, security issues are understood. In this regard, it is important to realize that it is not organizations that learn, but individual employees. As an organization, you must facilitate continuous learning and development for your people so that they themselves can take the next step toward higher digital security. Investing in people is a critical success factor because they are the lifeblood of IT security.

The human body functions properly only when certain conditions are present, such as proper nutrition, exercise, sleep and shelter. The immune system allows the body to defend itself against possible attacks. Like the human body, the IT landscape needs certain conditions, such as digital security. If you take those away, the organization will struggle and cease to survive. Therefore, security should not be treated as a separate function - it is vital to the success of any global organization.”

Also see Cyber Security - Do you see your future with APG? | Homepage - Careers at APG