For over a decade, agile technology was looked at with doubt and speculation. Most executives believed it was something being kicked around by IT with no true impact in the long run. So, it’s no surprise security executives have an instinct to pump the brakes as they witness their enterprises rapidly adopting agile technology practices. But, they should fight the urge.
Embracing agile has become a competitive imperative in most cases — practices have increased success rates in software dev, improved quality and speed in go-to-market, and boosted productivity of IT teams. So, while I haven’t seen a CSO successfully stop the adoption of agile practices, I have seen more than a few replaced after campaigning against IT agility.
The most innovative companies will be the ones incorporating security best practices into agile teams. Those companies that lead the way in terms of cybersecurity will focus on these three main areas: security-as-a-service, automation and DevSecOps.
Today’s enterprises expect security-as-a-service — or the ability for technology consumers to provision their own security — as the primary direction the rest of technology is going. However, the major shift is less about directly providing security deliverables, and more about providing capabilities for technology consumers to deliver their own security.
Take, for example, exposure management. In traditional settings, application owners would open a project alongside the security engineering and operations team. That would allow exposure to be management licensed, configured and deployed for a new application.
In the newer security-as-a-service model, that exposure management service already exists. It was built in compliance with the existing corporate protocols and technical standards. The application owners would activate the service through a self-portal or other provisioning tool.
This not only creates a more effective security experience, because the application owner is less likely to shirk security concerns, it also creates more efficiency in the process. Both aspects are critical to security keeping up with the raw scale and speed of agile technology delivery. In terms of the multi-year transition, creating services that can be repeatable with minor tweaks is vital. It greatly relieves the overhead of one-off projects for every application that’s migrated to an agile delivery model.
When it comes to automation, the main issue is simply scale. Agility creates a massive amount of new security and compliance overhead for a number of reasons. A few examples include:
- The adoption of cloud infrastructure means far more individual workloads, more broadly distributed, with a much higher rate of change.
- Agile application development coupled with DevOps and continuous delivery impacts the release schedule — instead of quarterly and monthly rollouts, we’re looking at weekly or even daily releases. Consumerized, readily-accessible SaaS and other cloud services result in an exploding number of locations that need to be secured and monitored.
The first step is recognizing that every example drives more work for security. And the key is to lean heavily into automation for real success in an agile technology enterprise.
The role of DevSecOps is to embed security into agile dev operating practices. This is the “consumer” side of the security-as-a-service equation: Think about the central security organization as a service provider, and DevSecOps engineers as the consumers of those services.
Embedding skill sets into DevOps teams doesn’t mean you have to hire all new people. It means you have a dedicated, on-the-ground team member who is accountable for putting the right security services in play. This has everything to do with harmonizing and scaling security to better align with agile technology delivery models.
As threats to security grow, so must the capacity for innovation — even more so as we move to more agile development practices. The most successful companies are finding ways to get ahead of the issue by studying how enterprises approach it, rather than fighting the inevitable shift. Armed with the knowledge of security’s continued importance, leaders are mapping out direction options, and steering their dev ships accordingly.