Security and development operations (DevOps) can no longer operate in isolation from each other — digital transformation makes it imperative that the two disciplines work together to deliver secure products at the “speed of digital”. This was the subject of much discussion at a recent IDC European CISO Summit.
When I joined DXC Technology as a security specialist 3 years ago, our security team of 3,500 specialists operated, in most instances, independently from the other 60,000+ technologists who worked on innovative development projects. When the technologists built a new capability, they would pass it on to us, and we would add the security element — this is a gross simplification, but it reflects the basic operational process.
It’s the way the industry has handled security for decades. However, the process has changed significantly over the past 24 months, since the security team started to work with the technologists at the start of the development process. At first, we thought the developers would have no security maturity. But, to our surprise, they had already developed many capabilities themselves. They’ve moved rapidly toward the security space as part of the DevOps-to-development-security-operations (DevSecOps) transition, which is good to see. Today, security and development are tightly integrated. It’s a case of “build-in” rather than “bolt-on”.
However, this brings up an interesting industry challenge: Most security people aren’t programmers. I was a classical musician before I stumbled into security. As a collective, security experts have different skills from those of developers, and there is surprisingly little overlap. This is going to be a problem for the entire security industry as we seek to fully understand and support DevOps and the digital transformation.
As security professionals, we need to evolve, and evolve rapidly. We need to take responsibility and move towards a DevSecOps mode of operation. Developers are moving into the security space rapidly as security testing shifts left (i.e. testing is performed earlier in the lifecycle) in the software development process. If we want to support developers, we need to grow together. Developers alone cannot deliver a secure digital transformation; we need a symbiotic partnership.
So, there’s a transition occurring. The developers are moving more towards security. Security specialists also have to move towards developers. This brings up another question: What will the security profession look like in 2 to 3 years?
I think we’re going to see a quite rapid contraction of pure-play security professionals. Security will increasingly be a secondary skill for developers, and with continuous integration and continuous delivery/deployment (CI/CD), we’ll see a lot of the day-to-day security work, such as vulnerability management, carried out by those developers. This will help fill the global security skills deficit, and it’s is a good thing for technology and for the world, given the potential human cost of security breaches.
But, there will still be a need for dedicated security skills. For instance, cross-enterprise activities such as security strategy, security monitoring, forensics and threat hunting will always require a centralised team.
In the future, the notion of having pure-play security professionals will be much rarer, but security activities will be endemic to all development. As security professionals, we need to learn to support and mentor our developer colleagues, but also to learn from them. That’s when we’ll have realised DevSecOps and will truly be delivering digital transformation.
Digital transformation changing the way we are looking at security. Read more here on why security must become a business enabler to be taken seriously by business organisations.