When an IT security person approaches you for the first time, it can be a little intimidating. Fortunately, security folks are on the good team. They’re the good people working to keep your environment humming along safe and sound. The “bad guys” are the ones lurking around outside your organization trying to find a crack to get inside. They might be after data or simply disruption. So, you can see how the security folk have the same purpose, even though you might see each other in different ways.
There’s a funny matrix, shown below, that illustrates how different teams in IT see each other and themselves. This matrix made for a good laugh, but the realities portrayed in this picture aren’t so funny.
Screengrab from Gunn’s presentation (note image credits)
Devs are wizards, security folks are superheroes, and ops engineers carry the weight of the world on their shoulders. But we need to move the world beyond this picture and the friction it creates.
Sure, there are some differences. But we’ve come a long way. We can look to what’s been done so far and continue this progress toward changing things for the better.
When security meets dev and ops, some core positions can lead to disagreement. Developers are focused on things like the customer, bugs, and “shift left.” Security folks are looking at the ecosystem, vulnerabilities, and breaches. Operations teams are concerned about the infrastructure, hackers, and support tickets. But all three want to move fast!
Screengrab from Gunn’s presentation illustrating the way different areas of the business view things
When it comes down to it, there seems to be a missing link in the communications. Automation is something where dev and ops can find some common ground. However, they have different goals for automation. Each group wants different things from their tools.
Security folks think about other things besides vulnerabilities and automation. They’re outnumbered. There seems to be a shortage in the industry. Most security folks really don’t want to be developers, though some were and moved on to something else. They don’t like “shift left” because it sounds like “swipe left.” The connotation is leave everyone else behind. But the irony is that the quintessential DevOps image is an infinity symbol—there is no left!
Going back to the common ground, we can look at a few things to start with. Automation, for one, is a great shared value. Gunn borrowed an aphorism from Zig Ziglar: “People don't buy drills, they buy holes.” This is great because it brings the true goal into focus for all parties. The drill and bit are just tools to get the job done. This is true of all tools, including automation tools.
Using common ground as one possible starting point, what else can we do to find other common ground? How about these, for starters:
- Know the customer’s views.
- Understand functional and non-functional requirements.
- Model threats.
- Get executive buy-in on security.
- Be patient!
- Educate each other.
Security people can move quickly in their own zone. Gunn says security folks put on their calm faces, but they always have vulnerabilities on their minds: “security is always under the gun.” They have big problems to solve and the stakes are high. Hopefully, we can all take the time to understand each other to move to a better place of harmony.
Missed Angela Gunn’s session, or want to see some other great presentations from October 17? Head over to https://www.alldaydevops.com/live and make sure you’re registered. Then, catch up on what you missed (or re-watch your favorites)!
About the author, Phil Vuollet
Phil Vuollet uses software to automate process to improve efficiency and repeatability. He writes about topics relevant to technology and business, occasionally gives talks on the same topics. You can find him blogging at thedailylessonlearned.com.