Today at DevOpsDay Austin Puppet Labs VP Tech Operations, author and recovering security professional James Turnbull gave a presentation on DevOps and Security. I’ve embedded his slide below, but the key point that he made that I’d like to emphasize is the importance of getting security into all IT conversations early.
As Turbull puts it: security is often the last team you call when you have a problem because no one wants to have a security problem. It’s a backwards way of looking at things – hoping you don’t have a security related issue and putting off any resolution until it may be too late. Bringing security into conversations, preferably BEFORE a problem happens, is best practice.
But why doesn’t it? Well, Turnbull illustrates it pretty well in this slide:
I find this funny because in a lot of ways the non-security related IT team sees security the same way many see IT operations overall: as the no team. The people who tell you why you can’t do something, rather than the team that tells you HOW you can.
What’s the solution? Unsurprisingly, the answer is better communication and collaboration across silos. But how exactly do you do that? First, we should look at the root of the problem. Turnbull blames the culture of blame. CYA is a mantra for just about anyone in a corporate setting, and there needs to be a way to reverse that trend. There will be a lot less blame to go around if things are done from the start.
It’s crucial, for the reasons Turnbull mentions, that DevOps include all of ops, including security.