This content is part of the Essential Guide: CIO guide to project management basics, DevOps and Agile
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Gartner: DevOps is good; DevSecOps is better

Make way for DevSecOps. According to Gartner analyst David Cearley, CIOs need to add security professionals to their DevOps teams.

DevOps, or the blending of an enterprise's applications development and systems operations teams, has become a trendy IT topic. The new operating model is often employed in conjunction with Agile software development methods and leverages the scalability of cloud computing -- all in the interest of making companies more nimble and competitive. But, according to one expert, the approach as it is typically practiced today doesn't go far enough.

David Cearley, an analyst at Gartner Inc., believes today's CIOs need to revise DevOps to include security. He calls it DevSecOps. "It's development, it's security, it's operations operating as a dynamic force to create solutions," he said.

Investing in firewalls and perimeter defense isn't bad per se, Cearley said. But with high profile breaches at Target, Home Depot and Sony that left these organizations (among others) with black eyes, it's clear that simply guarding the borders is not enough. By adding security to a DevOps program, CIOs and their teams will be forced to think about security in a more granular way -- at the start of the software development process, rather than as an afterthought.

David Cearley David Cearley

Adding security to DevOps, in classic IT language, turns out to be a people and process problem more than a technology problem. For many organizations, these teams work in separate closets "that don't even have a common wall between them," Cearley said. Still, getting everyone in the same room will be easier than getting everyone on the same page. Luckily, most enterprises have a person uniquely suited to break down cultural barriers and demand that security become a DevOps best practice, Cearley argued: the CIO.

"The CIO is the only one [who] is in a position to do something about this because the security team reports to him, the operations team reports to him, the applications team reports to him and the architecture team reports to him," he said. "The CIO is the leader; the CIO has to direct his team to say, 'If you don't work together, go get another job somewhere else.'"

DevSecOps manifesto

1. CIO-driven

2. Collaboration of unlike teams

3. Focus on risk, not security

Source: David Cearley, Gartner Inc.

Confronting the teams' "biases and preconceived notions" of how this work should be done will be one of the CIO's biggest challenges, Cearley said. "The CIO is asking them to rethink that." One suggestion? Rather than accepting separate reports on application development, operations and security, CIOs should reinforce the importance of collaboration by demanding a "unified approach for how we're going to be able to develop, secure, operate and manage the services we're delivering to our users," he said.

Cearley also recommended that CIOs direct the conversation away from security toward risk, which can help IT better integrate the business perspective into the process. "If you start with security, the focus becomes what tools are needed to get the ultimate security. I'm sorry, but that's the wrong focus," Cearley said. "You have to start with risk." By keeping the focus on risk, CIOs will help the business understand how IT can contribute to breaking into a new market or experimenting with a new type of analytics -- as well as how IT can minimize the potential dangers of doing so.

Let us know what you think of the story; email Nicole Laskowski, senior news writer, or find her on Twitter @TT_Nicole.

Next Steps

RASP is a next generation application security technology that's getting some buzz, but is it ready for primetime?

DevOps moves forward with Jenkins and GIT integration

Learn how to fix Devops team issues

NoOps, DataOps and what comes next

Dig Deeper on Enterprise information security management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Should security be added to DevOps?
Even though DevOps is hot in the market and has been observed to have some of the best core tools and principles, the aspect of complying with proper security measures has not been addressed sufficiently. With the current trend in cybercrime, any enterprise cannot risk its confidentiality, integrity or availability reasoning that the application is an open culture. Therefore, it is important that DevOps coders consider information security to avoid disasters for clients and enterprises.
YES! Application and Architecture Security should be one of the metrics of deliverable working software. If it's not there, you do not have a Deliverable! Both Application Security SME and Architecture Security SME should participate in DevOps process and organization. Security vulnerabilities need to be tested and remediated within the Agile Sprint.
It is critical that security is added to devops but I believe many organizations are struggling with how to do this.  Several issues are include (a) how do you de-centralize the security expertise and best practices to 100's of agile teams from what is generally a centralized team today, and (b) how do you handle current processes such as segregation of duties which actively seek to prevent developers rolling code straight to production
Absolutely! Tools are great, but a focus on processes and people is key for security in a DevOps initiative. Awareness programs and training in secure coding, with management recognition for staff (coders, architects, etc.) that develop skills in secure application development best practices and who owns and champions security within their own teams - agile or otherwise - is critical; establishing a s/ware security group (SSG) to support these emerging security SMEs with a level of autonomy separate from the InfoSec team, supported by the CIO, and staffed by a core of advanced security trained developers, architects and ops can prove invaluable to successfully ensuring security is not an afterthought or an add-on. It takes time, but DevOps as a culture change enabler doesn't happen overnight either.
Of course. DevOps brings a benefit of rapid response, and security is the aspect when speed matters a lot.
Most enterprises have somebody uniquely suited to bridge the gap between people’s physical barriers and demand that security becomes devOps best practice.
I'd say that security must be a whole team concern. Making a single person responsible is agile anti-pattern.