In your contribution to the book, you talk about the transition from DevOps to DevSecOps. What does that transition look like and what factors do you think are crucial in it?
“I don’t see it so much as a pure transition from one state to another. It is more like just a logical step toward a more secure IT environment. To that end, we are trying to get our people to have a DevSecOps mindset without explicitly naming it. This is a natural, quiet evolution, rather than a transformational revolution. Recognition and integration of cybersecurity as a necessary part of DevOps has led to the term DevSecOps. Some say that DevOps is necessarily DevSecOps and no new term is needed. But the term makes sense on its own because it refers to a DevOps environment in which a focused integration of security controls has been successfully achieved through collaboration of development, operations and security teams. DevOps and DevSecOps are two sides of the same coin. They are aligned toward the same goal: to deliver value faster and with better security.
For that evolution to succeed, you need the right mindset, organizational culture and governance. It’s important to be open to change. In an environment that meets all those conditions, you can empower teams.”
Can you give an example of an important insight in your contribution to this book?
“The world is becoming increasingly more digital, and to continue to take advantage of its opportunities, security has become incredibly important. Today, security cannot be taken for granted. The increased frequency and impact of recent cyber attacks have highlighted the importance of security. It is no longer just the responsibility and concern of a separate department with dedicated specialists. Everyone in the organization must be mindful of it, including DevOps teams as key units for developing and operating information systems.
This is why we start early in the timeline with security: shift security left, meaning that considerations in this area are integrated into the development process from the beginning, rather than treated as an afterthought. DevSecOps works best when the infusion of security into development and operational activities engages and empowers people.”
How do you ensure people get involved and are able to deal with this greater responsibility?
“With knowledge sharing, internal security awareness increases, security issues are understood. In this regard, it is important to realize that it is not organizations that learn, but individual employees. As an organization, you must facilitate continuous learning and development for your people so that they themselves can take the next step toward higher digital security. Investing in people is a critical success factor because they are the lifeblood of IT security.
The human body functions properly only when certain conditions are present, such as proper nutrition, exercise, sleep and shelter. The immune system allows the body to defend itself against possible attacks. Like the human body, the IT landscape needs certain conditions, such as digital security. If you take those away, the organization will struggle and cease to survive. Therefore, security should not be treated as a separate function - it is vital to the success of any global organization.”
Also see Cyber Security - Do you see your future with APG? | Homepage - Careers at APG