Gartner: DevOps is good; DevSecOps is better

DevOps, or the blending of an enterprise's applications development and systems operations teams, has become a trendy IT topic. The new operating model is often employed in conjunction with Agile software development methods and leverages the scalability of cloud computing -- all in the interest of making companies more nimble and competitive. But, according to one expert, the approach as it is typically practiced today doesn't go far enough.

David Cearley, an analyst at Gartner Inc., believes today's CIOs need to revise DevOps to include security. He calls it DevSecOps. "It's development, it's security, it's operations operating as a dynamic force to create solutions," he said.

Investing in firewalls and perimeter defense isn't bad per se, Cearley said. But with high profile breaches at Target, Home Depot and Sony that left these organizations (among others) with black eyes, it's clear that simply guarding the borders is not enough. By adding security to a DevOps program, CIOs and their teams will be forced to think about security in a more granular way -- at the start of the software development process, rather than as an afterthought.

David Cearley

Adding security to DevOps, in classic IT language, turns out to be a people and process problem more than a technology problem. For many organizations, these teams work in separate closets "that don't even have a common wall between them," Cearley said. Still, getting everyone in the same room will be easier than getting everyone on the same page. Luckily, most enterprises have a person uniquely suited to break down cultural barriers and demand that security become a DevOps best practice, Cearley argued: the CIO.

"The CIO is the only one [who] is in a position to do something about this because the security team reports to him, the operations team reports to him, the applications team reports to him and the architecture team reports to him," he said. "The CIO is the leader; the CIO has to direct his team to say, 'If you don't work together, go get another job somewhere else.'"

Confronting the teams' "biases and preconceived notions" of how this work should be done will be one of the CIO's biggest challenges, Cearley said. "The CIO is asking them to rethink that." One suggestion? Rather than accepting separate reports on application development, operations and security, CIOs should reinforce the importance of collaboration by demanding a "unified approach for how we're going to be able to develop, secure, operate and manage the services we're delivering to our users," he said.

Cearley also recommended that CIOs direct the conversation away from security toward risk, which can help IT better integrate the business perspective into the process. "If you start with security, the focus becomes what tools are needed to get the ultimate security. I'm sorry, but that's the wrong focus," Cearley said. "You have to start with risk." By keeping the focus on risk, CIOs will help the business understand how IT can contribute to breaking into a new market or experimenting with a new type of analytics -- as well as how IT can minimize the potential dangers of doing so.

Let us know what you think of the story; email Nicole Laskowski, senior news writer, or find her on Twitter @TT_Nicole.