Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Mind the (Communication) Gap: How Security Leaders Can Become Dev and Ops Whisperers

Mind the (Communication) Gap

Developers, Ops and DevOps teams must incorporate security into their processes – often a hard sell. Here’s how security leaders can successfully align with them to weave security into their tools and workflows.

Establishing security controls across the enterprise used to be the exclusive realm of security teams. Not anymore. As a result, security leaders must get buy-in from developers, IT/OT Ops and DevOps teams to build security into their daily processes. The key is not just better communication, but engaging with these groups where they are, using the language they speak. As this post explains, security departments must transform from gatekeeping naysayers to business partners.

The changing world of enterprise security

As technology environments expand and evolve, incorporating a myriad of asset types and network architectures, including cloud platforms and IaC automation, more and more IT teams find themselves managing a wider array of critically important assets. Consequently, they must implement, adhere to and maintain security controls to protect the data, applications and assets they oversee. In order to protect these assets, it’s become imperative that development teams, DevOps groups and operations teams (both IT and OT) build security into their daily operations and tasks. But security isn’t the core competency of these teams – nor should we expect it to be! Their business goals, priorities and motivations are different – sometimes diametrically so – and that can create inherent resistance to the security team’s goals of mitigating risk throughout the organization.

Let’s start by outlining these differences and the ways to bridge the communication gap that often underpins the resistance these business units aim at the security team.

Why we do what we do

Let’s establish the motivations for the three key players in today’s technology landscape: Security, Development and DevOps. Security teams are driven by the familiar CIA triad of Confidentiality, Integrity and Availability. Controls put in place throughout the organization are designed to ensure one or more of these tenets. Protecting data from exposure, ensuring that assets aren’t compromised and building resiliency into the infrastructure are all key motivations for security.

Development teams aren’t motivated in the same way at all. While there may be some cursory acknowledgement of keeping systems up and running, security isn’t typically top of mind. Developers are builders at their core. They create new functionality, drive sales through new features and architect new software from the ground up. They see security as an obstacle to their goal of building something new. It’s hard to rapidly write and deploy code that delivers fancy new features to your end users when you have to conduct security scans, check in code for review and do whatever else the security team requires. It’s a recipe for immediate conflict: the need to balance efficient coding practices while deploying code that is secure, safe and free of errors that could lead to a compromise of the application.

DevOps teams, however, straddle the line between these groups, shuttling the code, applications and infrastructure from testbeds out into production. Like developers, DevOps sees security as an obstacle, but here, the primary driver isn’t necessarily creating something new, but rather, finding efficient ways to complete their tasks. This usually revolves around immense amounts of automation, which allows DevOps teams to be fast, flexible and able to address large-scale deployments with minimal effort. Here, security is seen as a hindrance to these automation processes because it requires multiple checks to ensure production deployments are safe and secured, and because it creates checkboxes to add to existing DevOps tasks which often aren’t as automated as their other workflows. This can dramatically slow down the deployment process, and that’s where the rub happens again.

Mind the Communications Gap

Looking across the lines, there doesn’t seem to be an obvious place where these teams can intersect and find common ground. Or is there? Security leaders who know that these goals are far more aligned than most realize tend to succeed at breaking down resistance and building a stronger, more seamless security program that meaningfully reduces risk for the organization. It all starts with changing the message to align with what’s important to each of these teams.

WIIFM wins the day yet again

A common mistake security teams make with their communication programs is to assume that everyone understands that security is important, and they repeat a heavy security-focused message. But for most non-security business units in an organization, we often fail to explain security in terms that highlight WIIFM, i.e. “What’s In It For Me?”. Realistically, most non-security business units within an organization view security as an obstacle to their own efforts and commonly write it off as “that other team’s job”. Web content filters block websites. Endpoint security prevents the installation of fun games and applications. Email security stops people from clicking on enticing links promising lottery winnings, package delivery updates or tax solutions (seriously, please don’t click on anything like that). When security controls are seen as coming from “the department of no”, is it any wonder that developers and DevOps admins are hesitant to allow security controls into their domains?

Security doesn’t have to be “the department of no”, and the more we embrace security controls that sync with the way users, admins and engineers do business, the easier it is to show them what’s in it for them and the organization as a whole. So, let’s look at some recommendations across the People-Process-Tools triad where you can improve buy-in from your development and DevOps teams and tear down the obstacles that often prevent security teams from maturing and meeting their goals.

Table: People-Process-Tools Recommendations for Security Teams

Development Teams

DevOps Teams

People

  • Don’t require your developers to become security professionals and learn a bunch of security tools. They live in coding environments, and it’s in everyone’s interest for them to remain there.
  • That said, teaching secure coding practices IS valuable, and helps to bring a measure of security into the overall process by having developers do what they normally do: write code.
  • In communications with developers, acknowledge that there is no expectation that they must use additional security tools or that they are responsible for understanding security at the same level as the security professionals in the org. 
  • DevOps teams generally have a better alignment with security, but they’re still very busy folks and also shouldn’t be burdened with the expectation that they’ll be security experts. 
  • Communications with DevOps teams should, like with developers, highlight the areas where security controls have integration mechanisms that DevOps teams will require to keep their automation engines running.

Process

  • Focus on policy-based controls which provide output to developers in code. That is to say, show where broken code is and what code could be used to fix it instead of a PDF report that shows a “critical severity vulnerability in your app”.
  • Translate security findings into work requests that show exactly what needs to be done and where. (this can and should be automated!)
  • Developers value real-time responses. They’re trying to build new functionality quickly, and waiting on security processes to provide feedback before they can ship code is anathema to the way they work. 
  • Security controls should be implemented within a DevOps workflow as early in the process as possible. As these teams deal in scale, strong security controls that ensure images, applications, containers and other assets are secured before they’re rolled out in the thousands means that DevOps teams can focus on fixing something just once.
  • As much as possible, adopt a red light/green light (or a go/no go) stance for any issues or problems detected from a security standpoint. This is easier to automate into existing DevOps workflow decision-making trees and prevents DevOps from having to slow down and translate security findings into concrete tasks.
  • Expanding the above point: where possible, provide specific remediation steps to DevOps teams. They’re focused on “getting it done”, and the more time spent trying to figure out what to do only serves to impede their workflows.

Tools

  • Any software product you bring into the development workflows MUST integrate natively into their existing development tools. Do not expect developers to learn new security tools. Instead, bring security into their build environments (and yes, these tools exist!)
  • Security findings should automatically be translated into developer work requests and integrated into issue tracking systems (ex. Jira)
  • Security tools in the DevOps world must have easy and robust APIs and allow for integrations wherever and however the DevOps team works. This means support for multiple cloud platforms, toolsets and scripting languages.
  • Like with developers, security tools should integrate seamlessly into existing DevOps tools and output findings in a way that’s relevant to their workloads. This means integration into IT ticketing systems or other workflow management tools as well (ex. ServiceNOW).

Conclusion

At the end of the day, security professionals and leaders need to communicate with their audiences where the audiences themselves are, not where the security folks are. We must demonstrate that the security controls that we want to implement won’t be obstacles to the creation of new software features and functionality your development teams are focused on. We also need to show how those same controls won’t impede the speed and scalability that DevOps teams thrive on. If we are successful in communicating like this, security teams can move away from being seen as “the department of no”, and instead be recognized as a business partner who empowers the organization to be more operationally efficient while also reducing and mitigating risk to the core mission. 

Learn More

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training