The shift to the cloud has introduced greater complexity as well as the need for security teams to work at speed and build guardrails to enable developers to move fast. However, many organizations are facing difficulties in doing this and in managing risk across their operations.
The solution? Breaking down silos, bridging knowledge gaps, and establishing strong, trustworthy bonds between security teams and their Dev and DevOps counterparts to minimize risk and maximize peace of mind.
Martin Bally, VP and CISO at Campbell Soup Company, Alex Schuchman, CISO at Colgate-Palmolive, and Sara-Michele Lazarus, Head of Trust and Security at Stavvy discussed how they’ve successfully connected security and dev teams across the cloud development life cycle.
The actionable insights they shared include:
Why closer collaboration should include sharing knowledge, tools, and responsibilities between security and DevOps.
How closer working ties make a shift-left approach possible, enabling code to be tested earlier and more often within the CI/CD pipeline.
Why collaboration succeeds when security and DevOps teams speak the same cloud language.
Empathy is the foundation of effective collaboration
Before any attempt at closer collaboration can be successful, both teams need to undergo a mindset change, according to Bally.
You have to build empathy, try to understand what the other team is attempting to achieve, and walk in their shoes. For example, security teams can’t just sit there and dictate what DevOps should do without first understanding their job and forming a partnership.Martin BallyVP and CISO, Campbell Soup Company
Schuchman agrees. “You have to treat cloud security as a collaboration effort,” he says. “You can’t just spot an operating system vulnerability and throw it over the fence, telling the dev team to go patch it and tell you when it’s fixed. That approach will never work.”
One way to encourage collaboration is to literally remove the silo or “fence,” placing security and DevOps within the same organizational structure. This is the strategy that Lazarus has adopted, with both teams grouped together within the firm’s Trust and Security function. “The end result of this closer collaboration is that everyone in DevOps ends up being a security champion—an extension of the security team—because they’re so familiar with security issues and the team’s way of thinking,” says Lazarus.
Collaboration makes shift-left strategies possible
This collaboration enables Lazarus to successfully deploy shift-left strategies, testing code earlier in the production cycle and more often than would otherwise be possible.
“We’re already using tooling so that developers understand and can take action if there’s vulnerability in their code,” she says. “The aim is to address it before it’s deployed into production. We have a lot more tools in the pipeline and we are working on maturing our processes to leverage those tools.”
The security and DevOps teams also trouble-shoot code together, as well as interview and vet each other’s recruitment candidates in order to build closer links.
“That close connection ensures we’re working and collaborating on shared goals, which ultimately means we move faster. It’s critical that the security team is seen as a facilitator, rather than the department that says ‘no,’” Lazarus adds.
Schuchman has also successfully leveraged shift-left strategies. He says his company is “knee deep” in the shift-left journey. As a result, his team has moved beyond traditional posture management and infrastructure checks and is now embracing containers, API keys and cloud-native development.
He says shift-left has also helped reduce the boundaries between security and DevOps, empowering these teams to share knowledge, tools, and, ultimately, responsibilities.
DevOps colleagues within Colgate initially wanted to leverage the agility of the cloud, without first understanding the dangers or the misconfigurations that could take place during cloud migration, according to Schuchman.
“My team’s attitude was that we are here to help—we are here to show developers what to do, enable the right settings, and facilitate—rather than put up roadblocks.”
Schuchman says his goal has always been to end the “us against them” dichotomy between security and DevOps. An important step was making the information and tools previously monopolized by security available to DevOps. This enabled them to review their own code for vulnerabilities, build business-friendly security solutions, and generally help shoulder the increasing security burden.
How to empower developers to check and remediate their own code
With developers empowered to analyze their own work for security weaknesses, everyone has an important stake in cloud security.
Now, when our developers find a vulnerability early in the code production process, they don’t have to wait for us to do a scan. They can do it themselves and begin the remediation process immediately.Alex SchuchmanCISO, Colgate-Palmolive
Schuchman says code remediation skills and tools should be standard for a wide range of colleagues, from cloud infrastructure experts, DevOps team members and even junior developers with limited experience — rather than reserved solely for security teams.
Speaking the language of cloud security
One common barrier to closer collaboration is that security teams often speak a different language than their DevOps colleagues, using terms and phraseology that may cause confusion. However, there is a straightforward solution to this linguistic barrier, according to Schuchman.
“The traditional security practitioner isn’t typically cloud aware,” he says. “Rather than using language DevOps instantly understands, they use traditional infrastructure terms and VM-related terms. But there are Google Cloud and AWS training courses designed to help security practitioners get the language right, so they’re talking the same language.”
For Bally, speaking the same language not only improves communication between teams, it also helps to foster a stronger sense of empathy between DevOps and security. Once individuals speak the same language they are more likely to understand each other’s perspective and it’s that deep-sense of a shared mission that will embed collaboration going forward.
Watch the full interview now to get more security/DevOps collaboration tips.