maxkabakov - Fotolia
Security awareness training programs are commonplace in many industries, but IT security can still be considered a chore and an unnecessary drag on daily tasks. This lack of buy-in to the "security is everyone's responsibility" mindset can be changed as long as C-level managers actively promote the importance of security and the need for vigilance at all times.
Yet, many senior managers don't see their organizations as potential targets for cybercriminals or even understand why their IT systems would be attractive to hackers and criminals. The "it won't happen to us" or "why would it happen to us?" mindset undermines any security initiatives and puts the security team at a disadvantage, as well as the business and its customers at risk.
This situation isn't a great starting point for an organization looking to move from DevOps to a DevSecOps model, so any CISO or security team in this position needs to carefully plan how to present the case for bringing security into DevOps. Like good security awareness training, the content of any presentation should be relevant to the specific organization wherever possible.
How to sell a DevSecOps model
Projections and statistics -- like "Ransomware is expected to cost businesses and organizations $11.5 billion in 2019," or "The cost of the average data breach to a U.S. company is $7.91 million" -- won't convince those who believe it won't happen to them.
To work around that, draw up a list of all the key stakeholders who need to be convinced and who need to get totally on board for a move to a DevSecOps model to be successful.
Then, review the security events that have occurred in each of their areas of responsibility so you can highlight not only the larger threats, but also show real-life examples and evidence specific to each stakeholder. It shouldn't be a witch hunt. The goal is to make better security relevant to every department so it will promote the move to DevSecOps.
Of course, it is important to show how a DevSecOps model can improve overall business performance. It ensures products and services have security built in from the beginning and are therefore far more likely to resist attack, avoiding potentially costly interruptions to day-to-day operations. This and greater efficiency, compliance and responsiveness to changing business demands are the backbone of the case for the upfront investment in DevSecOps.
Keeping it real with a pilot program
But don't make unrealistic promises when cultivating a "security matters" ethos. Changing processes, tools and probably personnel takes time and can be a real challenge. Try using a pilot project to gauge whether your teams are ready for the challenge, and help prepare a full-scale DevSecOps implementation roadmap.
Of course, it's not only senior management that needs to be on board. Everyone in DevOps has to be convinced DevSecOps isn't just a passing trend, but a vital cultural shift in the age of the cloud, and security has to be a critical part of any IT ecosystem. It's essential to present clear cases for how moving security into the pipeline earlier adds value. Look at integrating members from different teams into new crossover teams, or at least, bring together development, operations and security teams in interactive DevSecOps awareness and training sessions. This way, employees will understand their core responsibilities and how their particular goals align with and benefit one another.
Promote developer, security team support
For developers, this means appreciating that, as a supportive member of the software development lifecycle and continuous integration/continuous delivery pipeline, the security team can help improve long-term productivity by reducing the buildup of unidentified security defects and vulnerabilities.
By uncovering problems early on, the cost of rectifying them is greatly reduced, as are the chances of them leading to a costly attack or breach. Organizations know they have truly embraced the DevSecOps model when everyone starts to consider risk versus value because it means people are thinking about security throughout the entire lifecycle of a project.