DevOps teams often focus on speed at the expense of security, and it's an oversight that needs to change, according to Lev Lesokhin, executive vice president of strategy and analytics at CAST, a software company in New York.
Lesokhin is a proponent of a concept called cyber resilience, which aims to disperse security efforts more holistically throughout the enterprise. For the DevOps organization, that means integrating security into the development process rather than leaving it to the CISO's organization -- a change Lesokhin called "shift-left thinking."
One of the questions CIOs might ask themselves is how to get the DevOps organization to care about security in the first place. Lesokhin has an idea about that: He suggested CIOs use gamification techniques. SearchCIO caught up with Lesokhin at the recent MIT Sloan CIO Symposium where he explained why cyber resilience should be on every CIO's to-do list and how CIOs can make security a DevOps team sport.
Below are excerpts from the interview; click on the player button to hear the interview in its entirety.
What is the relationship between DevOps and cyber resilience?
Lev Lesokhin: One of the things that's driving the change in thinking around cyber and cyber resilience is what's happening in the digital realm with DevOps and cloud. DevOps naturally breaks down the barrier between development and operations. Whereas before you would have a lot of process before you put anything in production, now there are some instances where the developer will press a button and promote something into production.
Because of that process, it forces the organization to break down the barriers between the operations team and the business continuity team, which has typically been concerned about system uptime and making sure that nothing fails in production; and the development team, which is typically concerned with getting things out as quickly as possible. They kind of clash in the middle, with the CISO being a bit more on the production side, saying, 'If it doesn't pass my CISO requirements, then you can't put it out.'
The business has been trying to move more quickly using DevOps techniques, and it's been causing organizations to think differently about how they introduce cyber resilience and security concerns into the development cycle. That's been part of the reason for this kind of shift-left thinking to integrate resilience concerns all the way into the whole lifecycle of how digital capabilities are delivered.
How do DevOps organizations typically deal with security?
Lesokhin: With DevOps, security is still an afterthought. I don't want to paint the picture that security is fully baked into the DevOps cycle. ... Most developers want to do creative things. They want to put out creative functionality. They want to be responsive to the business. They don't want to be that concerned about stability, security -- these things are traditionally in the realm of things that happen after I'm done with what I'm doing.
So, there's a cultural shift that has to happen and an education industrywide on the development side of DevOps and for developers everywhere, which is why this has to go beyond the CISO. This has to be a whole-organization movement.
How do CIOs get the DevOps organization to care?
Lesokhin: Some organizations we see have performance metrics. They measure what developers are producing. The Software Engineering Institute, the Object Management Group, and the Consortium for IT Software Quality have put out some standards for how you measure reliability, security, performance efficiency and maintainability of software. We're seeing some organizations adopt these metrics and create scorecards to get developers to care about these types of concerns.
It's rare that [metrics] come into a formal MBO [management by objective] or appraisal metrics or HR metrics. That's usually not a good idea because that kind of creates a negative environment. But the way that we've seen the most innovative organizations apply these metrics is to make them very transparent.
Typically, development is a team sport; it's not something recommendable to measure individual developers, although many managers would love to do that. But development is a team sport, and when you have teams competing on certain metrics, and you put them up on the fishbowl or on the walls, you put the leaderboards up there, it kind of gamifies the process and it gets developers to care.