When security embraces agile, innovation happens
The rapid adoption of agile technologies and practices has made many security leaders squeamish. Having looked at agile development with doubt for more than a decade, most executives believed it was something that would have no real impact in the long run. They were wrong. Now these leaders should fight the urge to resist their enterprises' rapid adoption of agile practices if they want to stay ahead of the curve.
Embracing agile has become a competitive imperative in most cases—practices have increased success rates in software development, improved quality and speed in go-to-market, and boosted productivity of IT teams. So, while I haven’t seen a CSO successfully stop the adoption of agile practices, I have seen more than a few replaced after campaigning against them.
Companies that incorporate security best practices into agile teams will lead the way in terms of cybersecurity. The most innovative focus on three main areas: automation, security as a service, and DevSecOps.
Agility creates a massive amount of new security and compliance overhead, so when it comes to automation, the main issue is simply scaling. A couple of examples include:
- Agile application development coupled with DevOps and continuous delivery affects the release schedule. Instead of quarterly and monthly rollouts, we’re looking at weekly or even daily releases. Consumerized, readily accessible SaaS and other cloud services result in an exploding number of locations that need to be secured and monitored.
- The adoption of cloud infrastructure has led to far more individual workloads, more broadly distributed, with a much higher rate of change.
The first step is recognizing that every example drives more work for security. To overcome the workload issue, you need to lean heavily into automation to be successful in an agile enterprise.
Security as a service
Today’s enterprises expect security as a service—the ability of technology users to provision their own security—to be the direction the rest of technology will go. This shift is less about directly providing security deliverables and more about providing capabilities for technology consumers to deliver their own security.
Take, for example, exposure management. In traditional settings, application owners open a project alongside the security engineering and operations teams. Doing so allows exposure to be management-licensed, -configured, and -deployed for a new application.
In the security-as-a-service model, the exposure management service already exists, with built-in compliance with the existing corporate protocols and technical standards. Application owners activate the service through a self-portal or other provisioning tool.
This not only creates a more effective security experience, because application owners are less likely to shirk security concerns, but also creates more efficiency in the process. Both aspects are critical to the ability of security to keep up with the raw scale and speed of agile technology delivery. In terms of the multi-year transition, creating services that can be repeatable with minor tweaks is vital—greatly relieving the overhead of one-off projects for every application that’s migrated to an agile delivery model.
DevSecOps endeavors to embed security into agile development operating practices. It strives to make security part of the team’s DNA, rather than a tacked-on practice. The central security organization is the service provider, and DevSecOps engineers are the "consumers" of those security services.
While development teams need a tertiary understanding of security, embedding skills into DevOps teams doesn’t require hiring new people. You do, however, need a dedicated, on-the-ground team member who's accountable for putting the right security services in play. This has everything to do with harmonizing and scaling security to better align with agile technology delivery models.
It's time to adapt
The most successful companies are finding ways to get ahead of growing security threats by studying how enterprises approach them, rather than fighting the inevitable shift. Armed with the knowledge of security’s continued importance, you too can map out direction options and steer your development ships accordingly.
Image credit: Flickr