EE-Panel-LEAD
NickWilliams
Nick Williams Principal Consultant

Our Thinking Wed 10th July, 2024

DevSecOps: Balancing speed, security and user experience

How can organisations leverage DevSecOps to create a customer-centric approach?

The landscape of modern business operations demands agility, reliability, and security in equal measure. While cybersecurity remains a critical concern, the integration of DevSecOps practices has emerged as a pivotal strategy for organisations seeking to fortify their digital infrastructure while accelerating innovation.

At the heart of DevSecOps lies a transformative ethos: the seamless convergence of development, operations, and security functions. This integration isn’t merely about thwarting threats but fundamentally reshaping how teams collaborate and deliver value. It’s a cultural shift that champions iterative development, continuous integration, and rapid deployment, all while safeguarding against potential vulnerabilities.

Recently, I had the opportunity to discuss DevSecOps as part of the Konnecta Ko-Lab Series 2 event in Sydney. At the event, I discussed how organisations can embed DevSecOps practices and the importance of creating a customer-centric culture.

Supporting engineering teams to adopt DevSecOps

One of the biggest barriers to successful DevSecOps initiatives is the entrenched processes within organisations. Most companies operate in silos, where the success of each team is measured by domain-specific metrics. Development teams may be measured on the speed of feature delivery, product teams on net promoter scores (NPS), and security teams on incident response time.

To overcome these barriers, organisations must cultivate a unified vision that places equal emphasis on feature delivery, operational efficiency, and security. 

While everyone agrees in principle that it is important to build secure and reliable systems, for many organisations there are few immediate and obvious incentives to do so.

Creating a shared vision ensures that every team member embraces their role in delivering secure, reliable, user-centric solutions. Without this, every initiative will trade off non-functional and security requirements first. You can find out more about how this can work in practice in our Secure Delivery Playbook.

User-centred security

Encouraging teams to integrate security within their delivery practices can be aided by focusing more on users. While user-centric design practices are becoming increasingly common in organisations, user-centric security hasn’t yet gained the same prominence. 

Concepts such as compliance, governance, and corporate risk are incredibly important to consider during delivery but rarely resonate with everyone in the business who has a say on how work should be prioritised.

When a cyber-attack occurs, it can result in service interruptions, reputational damage or financial penalties for a company. But customers aren’t merely bystanders in the event of a cyber-attack; they’re the true victims. 

They are the person whose bank account was blocked as a fraud prevention measure, they are the person who couldn’t book an important appointment because the system was unavailable.

Framing the challenges and outcomes in this way helps all team members see security-related processes as a priority, rather than a blocker or an afterthought.

Balancing security and delivery speed

One of the key questions at the Konnecta event focused on how organisations can balance DevSecOps with delivery speed – whilst staying “ahead of the curve” on cyber security threats.

This is a challenging problem. Cybersecurity is a truly adversarial discipline – and it is a situation which is completely asymmetrical. An attacker has a known set of methods that they can attempt, and they need to win once. A defender has to protect against the unknown and must win every time.

Traditional information security values, including defence in depth, least privilege, MFA, and threat detection are vital. More modern DevSecOps practices can strengthen your security posture:

  • Shift left: Conduct security testing sooner in the software and application delivery cycle.
  • Immutable infrastructure: where infrastructure components, once deployed, remain unchanged throughout their lifecycle, promoting consistency and automation
  • Sensible defaults and paved roads: Create defined approaches for common use cases and create intentional friction when people stray from the path.
  • Regular threat modelling: Stay vigilant about potential threats and risk
  • Risk-based approach: Think critically and prioritise the things that will really impact the organisation and users. 

Ultimately, the best position you can be in is to be able to handle change quickly. If you’re in a position where you have established these DevSecOps practices then you’ll be in a position where that is easier. If not, the adaptation becomes more operational processes of shutting down services, preparing your service desk teams to take calls, and displaying informational landing pages for end users.

While it’s easy to state these principles, implementing them in practice is challenging and ultimately, there are no perfect solutions, only trade-offs. You need good people, aligned behind agreed security positions and incentivised to prioritise security to make informed trade-offs. At some point, they will need to decide when to sacrifice delivery speed, assume technical debt, or accept a security risk. 

Creating a customer-centric culture through DevSecOps is possible, but requires a careful balance of speed, security and reliability. Cybersecurity is a top tech interest for Australian businesses in 2024. If you want to learn more about how we can support your DevSecOps initiatives, contact our team in Australia today.