Five keys to effective DevSecOps

By taking a holistic view, you can create a comprehensive governance framework while still prioritizing speed and agility.


Caleb Queern

Caleb Queern

Director, Cyber Security, KPMG US

+1 571-228-8011

Lavin Chainani

Lavin Chainani

Director Advisory, Technology Risk Management, KPMG US

+1 410-949-8834

James Williams

James Williams

Director, Advisory, KPMG US

+1 214-840-4822

Ask a CIO, CRO, or CISO what it means to carry out DevSecOps effectively and the typical answer is "We have a plan for that." They likely do, but in many cases, each of those constituencies has different priorities and perspectives.

A well-designed DevOps framework is predicated on increasing delivery speed and customer value through an automated software delivery life cycle (SDLC). But with vulnerability concerns growing, companies need to embed security into the SDLC holistically so development teams can work quickly and safely at scale.

DevSecOps: Where are we now?

Imperatives to think about as you develop your secure DevOps strategy.

Imperative #1

Remove barriers from the development team’s path

Developers want to work within a fully automated pipeline, where they can write elegant, game-changing code. Their primary objectives are to increase the speed and agility with which they write and deliver software in order to drive value both externally to customers and internally across the organization. They have long viewed as speed bumps the legacy manual processes that companies have in place to govern and control their environments.

Imperative #2

Give information security, governance, and compliance seats at the table from the outset

Managing security in a cloud-native, highly automated DevOps environment has become one of the great challenges among companies that develop and distribute software. Security teams have the painstaking job of ensuring that companies avoid negative headlines. They are the unsung heroes who work to protect sensitive customer data and limit the company’s exposure to hackers and other bad actors.

Imperative #3

Empower operations to better support what developers build

In its ideal state, DevOps should be supported by a single, cross-functional team working toward a common objective. However, with developers under increasing pressure to deliver code faster and faster, team priorities are too often misaligned. When problems arise company leadership leans on Operations—i.e., Risk—to assess and repair the damage, with an eye toward maximizing uptime and maintaining reliability through a suite of IT Service Management (ITSM) controls


 

Also learn about:

  • How to prioritize speed and agility while simultaneously implementing a comprehensive governance framework.
  • KPMG perspectives on setting up the best structure for DevSecOps.