A global tractor manufacturer currently employs more software engineers than mechanical engineers. What does this say to you? Perhaps it’s a clue that for many different businesses, software delivery is now a dominant force in driving organizational success.
This was true well before the current business climate, but it’s worth reflecting on just how much the transition has been accelerated by the pandemic. Organizations have been forced to rapidly digitize their existing services or even deploy fully digital service offerings that never existed before. And for the security team specifically, the new reality has driven home the need to turn to software for support in key processes. In a flagging economy, potential budget cuts are on the horizon. Remote working has thrown into relief security’s reliance on physical proximity and personnel for security processes. And security needs to adapt — in both technology and culture.
With the continued and now rapidly accelerating emphasis on software delivery, the efficiencies delivered by DevOps approaches — practices that combine software development and IT operations — have been put in sharp focus for leadership teams looking to modernize their delivery. But DevOps shouldn’t only be applied where code development and delivery is the primary constituent. It can also be used to help existing security capabilities improve their ability to develop and iterate on platforms that reduce business risk. A robust DevOps mindset and culture guides us to:
- “shift left”
- harness the power of automation
- build metrics and monitor them frequently
- increase the velocity of feedback loops
- learn from failures continuously.
Adopting these principles can transform security capabilities just as software outputs have been transformed in numerous global organizations. But DevOps need not be a complete overhaul of existing processes. Organizations taking a “secure by default” approach are already integrating cyber security with minimized friction, a critical idea in DevOps culture. With the wide variety of applications of the DevOps principles of flow, feedback and continuous learning, there are many ways in which your security organization can embrace and enact these concepts.
One significant milestone is enabling security to use the same tools and processes that already empower modern delivery for the development and operations teams. Examples here include Kanban boards and scrums, configuration management tools, and Continuous Integration (CI) systems. Additionally, security should leverage DevOps principles in procuring, building and maintaining its tools.
What does good look like?
Security leadership seeking to embed a strong DevOps culture in their team should keep in mind what good looks like. Find out if these qualities are represented.
- Exploratory: team members examine and act on opportunities to automate processes and activities.
- Highly communicative: members of the team communicate effectively to encourage knowledge sharing and organizational efficiency.
- Problem-solving culture: DevOps teams demonstrate proficiency in problem-solving and know how to prioritize tasks with business objectives in mind.
- Flexible processes: team members maintain a flexible approach to solution delivery to encourage on-the-fly adjustments as business needs inevitably evolve.
- Continuous feedback: teams employ Objectives and Key Results (OKR), Key Performance Indicator (KPI) and Key Risk Indicator (KRI) models to monitor the effectiveness with which they operate and provide feedback mechanisms to enhance service development.
With these attributes in mind, security organizations can transform their approach to software delivery. This will generate many benefits for DevOps organizations: improved work environment, lower development costs and higher user satisfaction are just a few.
Efficient reduction of business risk
In the context of security, one key outcome should be paramount: efficient reduction of business risk. As we recover from the current business climate and transition into the new reality, that key word “efficient” becomes even more important. If security leadership does that right, it will not only deliver better outcomes for security, it will also give money back to the business.
In the next article, we’ll look at one critical application of DevOps approaches in security: security operations.
Stay up to date with what matters to you
Gain access to personalized content based on your interests by signing up todaySign up today
Unless otherwise indicated, throughout this website, “we”, “KPMG”, “us” and “our” refer to the network of independent member firms operating under the KPMG name and affiliated with KPMG International or to one or more of these firms or to KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.