Why Organizations Should Pivot to DevSecOps

DevSecOpsThe first iteration of making development and operations a tandem was DevOps. The strategy married the two in a practical and tactical mode and cultural philosophy. The objective was to automate and integrate software development and IT. However, it left out a fundamental principle — security. That was rectified with the origination of DevSecOps — the trifecta of development, security, and operations.

Security was previously an isolated segment of the process, coming at the end. Except that wasn’t very effective. Leaving security as an afterthought meant delays in new iterations and lots of rework, which was expensive. There was a realization that security shouldn’t be the red-headed stepchild but deserved a full seat at the table. Collaboration among all three can lead to many benefits, so why hasn’t every organization pivoted? And why should they now?

Secure by Design

The underlying foundation of DevSecOps is to be secure by design. Security is a consideration at the conception of the project, not an afterthought. Even in rapid deployment, which is part of today’s digital transformation schematic, security must be part of the concept.

DevSecOps and its importance to cybersecurity is that notion of everything developed and operated has consistency in security and that it’s scalable. The biggest clash in DevSecOps may be between your security experts and those who see security as a hindrance. This hurdle can seem insurmountable, and as a cyber leader, you may have to put yourself in a position to evangelize that security doesn’t have to impact agility.

Creating a Balance: Security and Agility

Business leaders in your organization demand velocity in development and operations. The reasons are apparent — greater efficiency, reduced costs, and more revenue opportunities. Those priorities may not be yours. You can understand the need for faster development to support these business objectives. Still, you’re also keenly aware that your company won’t meet its goals without security in applications and operations.

The question then becomes, how do you balance security and agility? From your perspective, you know that security and agility aren’t mutually exclusive. Security doesn’t halt agility and can support it. The misconception that security is a barrier to innovation isn’t new, yet it persists. It may even be present in your cyber team. As a result, you must make a case for security, knowing that your security mindset narrowly focuses on risk in a way that development and operations cannot.

Now, you’re at a crossroads of convincing technical and business stakeholders that all three can work harmoniously. There are plenty of guides to building DevSecOps, and I’m not going to rehash those. Rather, I want to show you how the Secure Methodology™ and DevSecOps have much in common.

Applying Secure Methodology Lessons to DevSecOps

As a refresher, the Secure Methodology is a seven-step framework that helps cybersecurity leaders transform their staff into effective communicators and collaborators. It’s a pathway to take technically adept folks who lack the foundational skills to be curious, innovative, and welcome growth. In a way, the Secure Methodology has many things in common with DevOps and DevSecOps cultures. In all three concepts, there are synergies, including:

  • Collaboration and shared responsibility
  • Accountability in every aspect of the cyber landscape
  • Standardization around cybersecurity practices
  • Aligning security with business objectives
  • Increased transparency and communication
  • Continuous learning and improvement
  • High empathy and trust

These are all cornerstones of the Secure Methodology and DevSecOps. Next, we’ll go through the seven steps and how they can help you pivot your organization to a DevSecOps framework and culture.

Step One: Awareness

Awareness is the first step because you can’t move any further without it. It’s about being aware of yourself and the behaviors you can control. Additionally, there is the awareness of others. To be a successful professional and person, you have to have both.

When awareness is missing, it causes issues, including inadequate communication, resentment, animosity, competition, and many other things that detract from security.

Awareness is a key component of DevSecOps from the position that all three parties must be aware of one another in such a framework. Development cannot move to operations without security, for example.

Using the tools of the Awareness step could help bridge the gaps between these groups and break them from their silos. The critical areas of focus should be:

  • Perspective beyond a person’s limited view
  • Respectful and transparent communication

Both things feed into the next step, Mindset.

Step Two: Mindset

Mindset impacts everything we do. When it’s one of growth, we see opportunities, encourage feedback, and embrace uncertainty. When it’s fixed, we do the opposite. A growth mindset is the goal. Without it, you’ll never achieve security by design because there’s no ownership and accountability.

The problem with technical (and nontechnical) people is that they run from the truth and feel comfortable only with what they know. That’s risky behavior in the realm of cybersecurity. Moving mindsets is really hard. Not all will be able to hack it, but if it becomes part of your cyberculture, it’s ideal for a shift to DevSecOps, which is all about transparency and honesty.

There are some exercises to help with transformation as part of the Secure Methodology that can help with this. Another thing to note is that you have to talk about mindset in general when you have development, operations, and security staff together. You are outlining how each person needs to adapt their mindset for everyone to find success.

Step Three: Acknowledgment

Next is Acknowledgment, and it’s a big challenge for cybersecurity teams. There is a general lack of appreciation from supervisors to employees happening in every organization worldwide. The nature of cybersecurity is to focus on what went wrong because something always will. I’m asking you to refocus on all the things that go right every day.

Acknowledgment is all about feedback, which is critical in DevSecOps too. Not all feedback will be positive, but when it’s not, it should be constructive so that people learn from what occurred instead of being humiliated. Such actions lead to resentment, disengagement, and turnover, and that’s not good for any company or its security posture.

The act of acknowledging others makes people better at what they do. It builds their confidence and helps them grow their skills and be better collaborators and communicators, and every DevSecOps culture needs that to thrive.

Step Four: Communication

Communication is the most important step. It will make or break any team or company. Without consistent and transparent communication, you’ll never achieve DevSecOps, even if everyone’s on board. It simply just doesn’t work.

Communication is about more than words. It’s how they are said and the nonverbal elements as well. The biggest communication barrier is often geek speak. Security, development, and operations may all have their own versions of this. They believe it makes them superior. In reality, it causes confusion, frustration, and distrust, which aren’t the kind of emotions you want in any room.

You and your entire organization must make improving communication a priority. You have to create an environment that appreciates clear and positive communication. I recommend looking at the exercises in my book for more details on this so that communication becomes an asset, not a weakness.

Step Five: Monotasking

Monotasking means concentrating on one task at a time, which is crucial in cybersecurity. The problem is that society, in general, discounts it as not being flexible or able to juggle multiple things. We’ve been conditioned to believe we should be multitasking. So, you have the challenging job or rewiring brains to understand that multitasking causes risk!

Well, it may not solely be on your shoulders because DevSecOps and its proponents will agree. While it’s the convergence of three areas, DevSecOps appreciates workflows and processes that build on each other. You don’t move to the next one until you finish the first one. If you can retrain your team to focus deeply on specific tasks without distractions, velocity and productivity will actually soar.

Step Six: Empathy

You may be wondering what empathy has to do with cybersecurity and DevSecOps. Except we’ve been building up to this with discussion around awareness, acknowledgment, and communication.

Empathy makes us human in many ways, but it’s become something lacking in the world and at work. At the end of the day, we’re all human, and if we can appreciate the perspective of others, we can be better problem-solvers and collaborators. It easily applies to DevSecOps because three independent groups have to empathize with the others and understand their position for it to work.

If you can build empathy in these teams, you can move to the final step, Kaizen.

Step Seven: Kaizen

Kaizen is a Japanese term meaning “continuous improvement.” As people and professionals, we always want to be improving. We want the same for our development, operations, and security. It’s all about progress, no matter how small, as long as it’s constant.

It’s the ideal ending of the process, but not one that ever ends. It’s the same for DevSecOps. It’s a circle, not a line, after all.

You can learn more about the Secure Methodology and how it aligns with DevSecOps by reading my book, The Smartest Person in the RoomCheck out my Secure Methodology course too.

The Secure Methodology™ and Cybersecurity Leadership

7 Step Secure Methodology - Christian EspinosaThe advent of technology makes it easier for us to communicate with our staff and improve our business processes. However, it can also be a major risk to our organization: Hackers are lurking in every corner, waiting for the right time to steal information from us.

We need to strengthen the skills of our technical staff by utilizing The Secure Methodology. Through The Secure Methodology, we can help our staff improve their communication skills and encourage them to lead with their hearts and intuition, rather than just their logical minds.

Generally speaking, The Secure Methodology is a step-by-step guide designed to help us improve interpersonal skills so we can easily practice honest and effective communication. The Secure Methodology also promotes more in-depth understanding, allowing every person in the organization to be on the same page and work together towards a common goal, such as stopping cybercrime.

Benefits of the Secure Methodology

Cybercrimes are common worldwide, which is why it’s important for organizations to take preventive measures. The common strategies used by organizations today aren’t flawless as the number of cybercrimes continues to increase worldwide.

The Secure Methodology is different from other existing strategies because it leads us to better results, that do not require more investments in technologies or cybersecurity frameworks. Here are a few of the benefits:

  • Better security: By practicing the seven steps of The Secure Methodology, we’ll have peace of mind knowing that our organization and all our trade secrets are less vulnerable to cybercrimes. The Secure Methodology provides for a better understanding and mitigation of risks to protect our organization from hackers worldwide.
  • Cost reduction: Losing vital information will cost money from our pocket. How can we continue producing products if our trade secrets were stolen? How can customers trust us if their information is at the hands of hackers? When we practice The Secure Methodology in our organization, we reduce costs associated with cybercrimes. Instead of spending money to minimize the effects of cybercrime on our organization, we can use it for other areas that can help our business improve and grow.
  • Develop total intelligence: One of the biggest benefits of The Secure Methodology is helping leaders in the organization develop and lead with total intelligence. Through The Secure Methodology, we can learn to lead using our people skills, as well as our hearts, logic, and intuition. Being able to use different types of intelligence will make us better leaders and more equipped to combat cybercrimes.

The Secure Methodology isn’t just about helping our technical team prevent cybercrimes; it also teaches us different strategies to help improve ourselves and our organization in the long run.

Why the Secure Methodology Was Written

The Secure Methodology was written as an attempt to improve teamwork and cybersecurity in an organization. Yes, there are countless techniques that are meant to help organizations fight against cybercrimes, but not all of these are effective. In fact, looking at the cybersecurity status quo, we see that cybercrimes continue to affect organizations regardless of the size and nature of their business.

The Secure Methodology reinvents how organizations improve and also protect themselves from cybercrimes. Instead of merely using logic and intelligence in combating cybercrimes, the Secure Methodology aims to beat cyber criminals by developing the holistic skills of the staff and by using logic, emotion, and instinct equally.

Moreover, the Secure Methodology helps leaders get their technical people to strengthen their people skills and encourage them to lead with their hearts and instincts. Once we can accomplish these goals, we can quickly improve communication skills, making it easier for the organization to discuss issues and fix them as soon as possible.

The Secure Methodology allows leaders to know where their people are coming from and what kind of help their staff needs when issues arise. When we know what the world looks like from their perspective, we can provide solutions that address the root cause of the problem.

Overview of The Secure Methodology 7 Steps

1.    Awareness

Awareness has two aspects: self-awareness and the awareness of others. As the name suggests, self-awareness is about understanding our behavior or the behavior we can control. Even as a single human being, we should keep in mind that we impact the world around us, which is why we should be mindful of how we interact within it. For example, how, when, and where we frown or smile can significantly impact someone, and we should be aware of it.

Technical individuals and humans in general struggle with self-awareness because we often fill our lives with stimuli, namely social media and games. This removes the time needed to reflect on our actions. Leaders like us also face the same dilemma: we might show up in a meeting in a negative mood, not thinking how this demeanor can impact our staff and their progress during the day.

Being aware of others is also an important part of the Secure Methodology. When we’re only aware of our own actions, we’re not only being self-centered; we are also not helping solve problems in the organization.

For example, if we see a staff member crying at her desk, it’s best to ask her how she’s feeling instead of making an assumption. Making assumptions and being unaware of others’ emotions will likely make us angry and confrontational, making the situation worse.

2.    Mindset

There are also two types of mindset often exhibited by staff in an organization: growth and fixed. Individuals with a fixed mindset believe things are the way they are, and they’re no longer capable of changing. For example, technical staff with a fixed mindset in an organization may often claim, “I’m not very good with people.”

Conversely, someone with a growth mindset will say, “I understand I have challenges working with people, but I’m confident that I can get better.” With a growth mindset, a person understands what they’re struggling with and is open to learn and make changes.

3.    Acknowledgment

Acknowledgment in The Secure Methodology covers a lot of items. For starters, we should encourage our technical staff to focus on self-acknowledgment. Instead of letting them think that they’re not good enough, we should encourage them to acknowledge that their skills are vital to the organization.

Acknowledgment is also important for leaders like us. When we want our technical team to improve their behavior at work, we should acknowledge everything that they have accomplished in the past and let them see what they can do if they gain more skills. This will prevent them from shutting down and motivate them to change.

4.    Communication

Communication is about how we interact with our staff and the type of language we use. In short, communication isn’t just about the words we use; it’s also about our body language and tone. We also need to keep in mind that the meaning of communication is the response you get.

It’s common for technical staff to miss out on body language or tone and only focus on the words being communicated to them. This is problematic and often leads to issues when communicating within the organization. As leaders, we should help our technical staff understand different communication patterns and body language displayed by the speaker. We also need to train our team to listen better, rather than just waiting for a gap in the conversation to speak.

5.    Monotasking

Technical staff in an organization have to accomplish different tasks regularly, but this doesn’t mean they should do everything in one sitting. Multitasking has been hyped for so long, yet following this concept at work doesn’t guarantee better or more outcomes. In some cases, attempting to take on several tasks at one time will only result in anxiety and many unfinished projects.

As part of The Secure Methodology, we should highlight to our technical staff the importance of working with one task at a time. When technical staff practice monotasking, they can easily produce quality work because their focus is poured into one task only.

Monotasking also helps with communication, because if you are monotasking during a conversation, you are present and listening better.

6.    Empathy

It’s common for technical people to think that they’re the only individuals in the organization with problems, and everyone else has it easy. However, this kind of mindset is self-centered and somewhat narcissistic, which can only lead to bigger problems when left untreated.

When our technical staff is self-absorbed, they’re at greater risks of developing depression. Their lack of connection to other people will also make it very challenging for them to collaborate in problem-solving.

For The Secure Methodology to work in our organization, there should be empathy across all levels. Our technical staff shouldn’t jump to conclusions immediately. Sure, their role in the organization is challenging, but this doesn’t automatically mean that the other staff has easier roles to play.

As leaders, we should teach our technical staff the importance of empathy by helping them understand that other people also have different challenges and that they shouldn’t quickly judge others because they have different situations.

7.    Kaizen

Kaizen is a term that means “change for the better,” which is the ultimate goal of The Secure Methodology. If we want to improve our organization’s cybersecurity, we should establish a new process and examine it continuously. Constant and never-ending improvement (CANI) are essential ingredients in achieving goals, no matter how big or small.

Key Takeaway for Each Step

  1. Awareness means we should be conscious of other people’s behaviors and why they behave in a certain way, just like how we want other people to be conscious of how we are.
  2. Without the right mindset, it’s challenging for any of our staff to change and grow. As a leader, we should believe that every single person in our organization has the capability to change. It is also our responsibility as leaders to remain committed to change. Change doesn’t happen overnight; we must also have the right mindset to commit to change.
  3. We should acknowledge our technical team every time they make the slightest progress in their behavior at work. This will encourage them to permanently adapt to positive behavior and grow more in their field of expertise.
  4. Communication plays a vital role in the relationship of every staff member in an organization, which is why we should ensure everyone regularly practices open and honest communication. Aside from making sure that everyone is provided with various communication channels, we should also teach the importance of tone and body language and how this can help us understand the speaker better.
  5. Most technical staff don’t know how to monotask, and it is up to us as leaders to change that behavior. When our technical staff focuses on one task at a time, they can produce more and better output during the day. Knowing how to monotask is also an excellent way for our technical staff to look after their mental health as they can keep anxiety and stress at bay.
  6. Every individual in the organization deals with some type of challenge. Instead of judging others based on their behavior, we should put ourselves in their shoes and understand where that person is coming from. When everyone in the organization knows how to empathize, the team generates better results.
  7. When our organization tries something new, say improving our cybersecurity, we can’t expect to succeed during the first, second, or even third try. Kaizen is the understanding of this process and the encouragement to continue trying. To get desirable results from our efforts, we need to practice regularly and not just dabble.

Short Activity for Each Step

  1. One activity to broaden the awareness of our technical staff is to let them reflect on what happened to them on the previous day and instruct them to imagine themselves as if that were their last day on earth. When they know they have limited time to live, they would likely treat others the way they want to be treated.
  2. Keeping a journal is a great way to develop a growth mindset within our team. We can encourage our team to journal every day for a month about the things they’re grateful for and the things they’ve learned. After 30 days, we can meet as a group and then discuss how everyone has grown in a month.
  3. One simple way to acknowledge the progress made by the team is to keep a cookie jar filled with notes about their accomplishments at work. When anyone in the team feels discouraged or hopeless, they can easily get notes from the cookie jar to remind them of what they’ve accomplished in the past and what they can do if they continue to strive.
  4. To improve communication within the team, teach them the fun NLP eye pattern trick. The eyes are the closest organs to the brain, and where a person “looks” (whether to the right or left) when they’re trying to access information can determine if they’re lying. Check out this diagram.
  5. Dividing our team’s day into time blocks will allow everyone to work on things that matter the most. We can simply let them list down the tasks they have during the day and arrange them on time blocks so they’ll know what to work on during a specific timeframe within the day.
  6. One activity to teach our technical team empathy is to have them pair up and have each person make assumptions of the other and then have them discuss their similarities. This activity will help our technical team stop making assumptions about others and encourage them to look for similarities. This will eventually help them develop their empathy.
  7. Kaizen focuses on reflection and never-ending growth, so we can have our technical team keep a workday reflection journal to write down their challenge or win during the day for a week. Then, we can schedule one-on-one meetings with them to discuss what they wrote in their journals and discuss how we can improve their weaknesses or challenges.

For anyone who is interested to learn more about the Secure Methodology, you can get the book or enroll under its program.

Check Out The Smartest Person in The Roomv