For many organizations looking for ways to transform as they re-emerge from the pandemic, digital and agile teams are the cornerstones of the new reality. If these teams are not leveraged effectively, however, they can pose a challenge for well-established information technology (IT) and Information Systems (IS) functions. Digital teams are often fixated on the requirement to be fast and nimble, while traditional controls and broader IT processes are seen as inflexible, slow and blockers to progress.

Over the past 18 months, KPMG professionals have observed multiple incidents around the globe in which either outsourced developers, contractors or internal digital development teams have failed to implement consistent security controls across the environments. As organizations grapple with the so-called security deficit caused by the rapid development and rollout of cloud applications to support remote work, we may see more incidents like these. And while incident management isn’t the focus for this post, most will agree that a more useful approach is preventing incidents in the first place.

Security by design is part of that. Some organizations have neglected basic hygiene security practices, leading to large exposures. For example, production code has been published on public code sharing platforms, and subsystem changes have been applied in insecure ways (hardcoding API passwords, re-using third party code, not authenticating back-calls on APIs, inconsistently implementing logic changes and more).

Looking at these examples, I step back and wonder, why aren’t organizations redesigning processes to be simpler, so that the basics are at the forefront of people’s minds and practices? Why do organizations repeat the same mistakes every single time?

Is it a result of individual behaviors, or is it a symptom of broader cultural issues? Is there a better way to proceed, perhaps more automated and linked to a broader ecosystem? How can we focus on achieving better outcomes, while sustaining the creativity and innovation brought by these new teams? And most critically, have businesses done enough to fully understand their digital teams’ needs and to implement the nimble and agile processes that will support them?

To answer some of these questions, we need to look for early successes, instances where organizations have seen improvements by implementing robust development, security and operations (DevSecOps) processes in their development environments. Where they’ve made everyone accountable for security — ensuring security decisions and actions are implemented at the same scale and speed as development and operations decisions and actions.

In the post-pandemic ecosystem, the demand for efficiency in deploying technologies will likely become a driving force. Getting scale, consistency and automation within the organization and then embedding these changes with partners and service providers outside the organization will be a key challenge over the next 12-24 months.

All of this will require breaking down the mystical DevSecOps words into simple, action-oriented activities that focus on building appreciation for DevSecOps and embedding it into the organizational culture. There are several helpful and manageable strategies organizations should follow.
 

1. Make it simple. It’s essential that everyone within the development teams (whether insourced or outsourced) understands their responsibilities, so be clear about secure coding requirements. What is good vs. bad code? What do you expect the developers to do and why?
   
   
2. Make it real. Describe what good coding practice looks like vs. bad coding practice and show people why it matters. Demonstrate how a simple coding mistake could create a large security exposure (e.g. simple backend non-authenticated API call leading to a database records compromise).  Consider launching a workplace or digital wall to highlight examples and create positive messaging around it that will build support.
   
   
3. Make it happen. Automate and provide the tools and techniques that help make development teams accountable for their choices and mistakes. Learn from the processes and equip these teams with the security tools to test their code before sending it to security for testing. Pilot decentralized processes, where the development teams perform 90 percent of security testing and the security team performs the final 10 percent. Create case competitions and challenges to minimize security coding mistakes, and of course...
   
   
4. Make it stick. As the DevSecOps culture grows and becomes mature, continue with cross-functional testing teams, identify areas for further improvements and celebrate success. Gamify where possible and allow people to have fun.

As organizations move towards transformation, the degree to which they can build and implement an agile team culture will help determine their success. This is only part of the solution, however. In the end, these steps help reduce potential exposures, but a bigger question remains: how do we respond more efficiently when the incidents hit?