For many organizations looking for ways to transform as they re-emerge from the pandemic, digital and agile teams are the cornerstones of the new reality. If these teams are not leveraged effectively, however, they can pose a challenge for well-established information technology (IT) and Information Systems (IS) functions. Digital teams are often fixated on the requirement to be fast and nimble, while traditional controls and broader IT processes are seen as inflexible, slow and blockers to progress.
Over the past 18 months, KPMG professionals have observed multiple incidents around the globe in which either outsourced developers, contractors or internal digital development teams have failed to implement consistent security controls across the environments. As organizations grapple with the so-called security deficit caused by the rapid development and rollout of cloud applications to support remote work, we may see more incidents like these. And while incident management isn’t the focus for this post, most will agree that a more useful approach is preventing incidents in the first place.
Security by design is part of that. Some organizations have neglected basic hygiene security practices, leading to large exposures. For example, production code has been published on public code sharing platforms, and subsystem changes have been applied in insecure ways (hardcoding API passwords, re-using third party code, not authenticating back-calls on APIs, inconsistently implementing logic changes and more).
Looking at these examples, I step back and wonder, why aren’t organizations redesigning processes to be simpler, so that the basics are at the forefront of people’s minds and practices? Why do organizations repeat the same mistakes every single time?
Is it a result of individual behaviors, or is it a symptom of broader cultural issues? Is there a better way to proceed, perhaps more automated and linked to a broader ecosystem? How can we focus on achieving better outcomes, while sustaining the creativity and innovation brought by these new teams? And most critically, have businesses done enough to fully understand their digital teams’ needs and to implement the nimble and agile processes that will support them?
To answer some of these questions, we need to look for early successes, instances where organizations have seen improvements by implementing robust development, security and operations (DevSecOps) processes in their development environments. Where they’ve made everyone accountable for security — ensuring security decisions and actions are implemented at the same scale and speed as development and operations decisions and actions.
In the post-pandemic ecosystem, the demand for efficiency in deploying technologies will likely become a driving force. Getting scale, consistency and automation within the organization and then embedding these changes with partners and service providers outside the organization will be a key challenge over the next 12-24 months.
All of this will require breaking down the mystical DevSecOps words into simple, action-oriented activities that focus on building appreciation for DevSecOps and embedding it into the organizational culture. There are several helpful and manageable strategies organizations should follow.
As organizations move towards transformation, the degree to which they can build and implement an agile team culture will help determine their success. This is only part of the solution, however. In the end, these steps help reduce potential exposures, but a bigger question remains: how do we respond more efficiently when the incidents hit?