BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    Use Cases and Industries
    See All Products
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

The DevSecOps Culture Shift – What to Expect, How to Adapt

August 30, 2018

  • Blog
  • Archive

blog-the-devsecops-culture-shift.jpg

IT leaders seeking to adopt DevOps or optimize a DevSecOps culture in their organizations to improve DevOps security face several possible challenges, from the technical to the human-centric. Oftentimes, the process and the technical issues can be resolved, but the people challenges can take a bit longer. I’m writing this blog to help IT leaders understand what cultural challenges you might face as you adopt DevSecOps, and how to respond to help your teams get past these challenges.

Typical DevSecOps Cultural Challenges

IT leaders will experience a wide range of reactions from staff as they are asked to embrace DevSecOps over just plain DevOps. The primary reasons are due to an inherent desire not to give something away that they already have (for example, privileges, and authority) and how the separation of duties is enforced (e.g. permissions). These will manifest themselves in the following cultural challenges.

IT Staff and Developer Access

Developers and IT admins will no longer have privileges, permissions, or authority to operate, deploy, and administer systems from end-to-end. Their ability to interact with systems will be restricted to predefined automation. The procedures included in the automation will not be accessible outside of DevSecOps. This may make staff feel like they are being replaced with automation (much like manufacturing robots) and may result in a refusal to relinquish the administrator authority they have today.

Access to secrets

Credentials, accounts, passwords, and keys used in DevSecOps will be unknown even to the most trusted IT staff and developers. Today, they know them or have access to them. However, in a DevSecOps model, they will not—instead, secrets will be coded, stored, rotated, and managed using privileged access management solutions. This shift may make the most trusted individuals feel like they have done something wrong since they no longer have access.

Separation of duties

A sound DevSecOps process interacts with multiple departments, assets, and resources. Security across all of them is no longer ubiquitous. Each silo is unique and automated and no one individual will (probably) hold the knowledge of the entire process any longer. This separation of duties will dethrone any individuals who are the knowledge keepers of the kingdom, and change the culture by distributing that knowledge amongst the owners within each department. In short, the knowledge hierarchy for operations will change.

How Can You Help Your Team Get past DevSecOps Challenges?

You can help get past these technical, cultural, and emotional challenges by explaining the benefits of DevSecOps and re-enforcing that no one is being “punished” if they lose access, credentials, permissions, or authority to assets, applications, or resources they managed in the past. This is an education problem. Technical cultures need an explanation as to why things are changing and why the changes will benefit everyone – from security to operations.

While this may sound a bit tongue-in-cheek, I like to use the example from Charlie and the Chocolate Factory (the Johnny Depp version). Charlie’s grandfather worked in a toothpaste factory for low wages screwing the top on toothpaste tubes. He was replaced by a robot and ultimately fired. When the robot broke, someone needed to fix it. Charlie’s grandfather took the new job to fix it for higher wages and learned a new skill set.

DevSecOps is the same (no, you’re not going to be fired!) Teaching someone to join a Windows host to a domain, for example, is easy within the UI. But teaching them to write a PowerShell script, automate it, and maintain it for new versions of Windows is more challenging, and should command a higher salary. Admins will no longer need administrator rights to a system, but must learn how to automate the steps based on business goals.

Therefore, educate teams as to why you are changing, identify who can step up to the new requirements, and assist them in the journey of growing and re-inventing themselves in alignment with the new challenges DevSecOps will mandate. DevSecOps will require maintenance and development in a secure fashion, just using a different paradigm then what teams are used to today.

BeyondTrust has developed an eight-step strategy for DevSecOps infographic that leverages the same processes and technology you’re using today for your traditional, on-prem systems. That strategy is meant to be as unobtrusive to processes as possible. Check it out today, and if we can help you as your transform DevOps into DevSecOps, read our lasted white paper "Secure DevOps: Secrets Management and Beyond" or contact us!

Photograph of Morey J. Haber

Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust

Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Mapping BeyondTrust Solutions to the Identity, Credential, and Access Management (ICAM) Architecture

Whitepapers

Four Key Ways Governments Can Prepare for the Growing Ransomware Threat

Whitepapers

The Operational Technology (OT) Remote Access Challenge

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.