Is Security a Dev, DevOps or Security Team Responsibility?
No matter what role you work in — software development, DevOps, ITOps, security or any other technical position — you probably appreciate the importance of strong cyber hygiene.
But you may be unsure whose job it is to act on that principle. Although the traditional approach to cybersecurity at most organizations was to expect security teams to manage risks, security engineers often point fingers at other teams, telling them it’s their job to ensure that applications are designed and deployed securely.
For their part, developers might claim that security is mainly the responsibility of DevOps or ITOps, since those are the teams that have to manage applications in production — the place where most attacks occur — whereas developers only design and build software.
Meanwhile, the operations folks often point their fingers back at developers, arguing that if there are vulnerabilities inside an application that attackers exploit once the app is in production, the root cause of the problem is mistakes made by developers, not DevOps or ITOps engineers.
On top of all of this, engineers can treat other stakeholders as bearing primary responsibility for security. They might say that if a breach occurs, it’s because a cloud provider didn’t have strong access controls or because end users did something irresponsible, for example.
Cloud Security Is a Collective Responsibility
Who’s right? Nobody, actually. Security is not the job of any one group or type of role.
On the contrary, security is everyone’s job. Forward-thinking organizations must dispense with the mindset that a certain team “owns” security, and instead embrace security as a truly collective team responsibility that extends across the IT organization and beyond.
After all, there is a long list of stakeholders in cloud security, including:
- Security teams, who are responsible for understanding threats and providing guidance on how to avoid them.
- Developers, who must ensure that applications are designed with security in mind and that they do not contain insecure code or depend on vulnerable third-party software to run.
- ITOps engineers, whose main job is to manage software once it is in production and who therefore play a leading role both in configuring application-hosting environments to be secure and in monitoring applications to detect potential risks.
- DevOps engineers, whose responsibilities span both development and ITOps work, placing them in a position to secure code during both the development and production stages.
- Cloud-service providers, who are responsible for ensuring that underlying cloud infrastructure is secure, and who provide some (though certainly not all) of the tooling (like identity and access management frameworks) that organizations use to protect cloud workloads.
- End users, who need to be educated about cloud security best practices in order to resist risks like insecure sharing of business data between applications and phishing attacks.
It would be nice if just one of these groups could manage all aspects of cybersecurity, but they can’t. There are too many types of risks, which manifest across too many different workflows and resources, for cloud security to be the responsibility of any one group.
Every Organization — and Every Security Responsibility Model — Is Different
On top of this, there is the challenge that, depending on your organization, not all of the groups above may even exist. Maybe you no longer have development and ITOps teams because you’ve consolidated them into a single DevOps team. Maybe you’re not large enough to employ a full-time security team. Maybe you don’t use the public cloud, in which case there is no cloud provider helping to secure your underlying infrastructure.
My point here is that organizations vary, and so do the security models that they can enforce. There is no one-size-fits-all strategy for delegating security responsibilities between teams or roles.
Putting DevSecOps into Practice
All of the above is why it’s critical to operationalize DevSecOps — the idea that cloud security is a shared responsibility between developers, security teams, and operations teams — across your organization.
Now, this may seem obvious. There’s plenty of talk today about DevSecOps and plenty of organizations that claim to be “doing” DevSecOps.
But just because a business says it has embraced DevSecOps doesn’t necessarily mean that security has seeped into all units and processes of the business. Sometimes DevSecOps is just jargon that executives toss around to sound like they take security seriously, even though they haven’t actually changed the organizational culture surrounding security. Other times, DevSecOps basically means that your security team talks to developers and ITOps, but your business still treats the security team as the primary stakeholder in security operations.
Approaches like these aren’t enough. In a world where every year sets new records for the pace and scope of cyberattacks, security truly needs to be the job of your entire organization — not just technical teams, but also nontechnical stakeholders like your “business” employees and even external stakeholders such as cloud-service providers and partners. It’s only by enforcing security at every level of the organization, and at every stage of your processes, that you can move the needle against risks.
Conclusion: To Change Security, Change Your Mindset
So, don’t just talk about DevSecOps or rest on your laurels because you’ve designated a certain group of engineers as the team that “owns” security. Strive instead to make cloud security a priority for every stakeholder inside and outside your business who plays a role in helping to protect IT assets. Until the answer to “who’s responsible for security?” is “everyone,” you’ll never be as secure as you can be.
Want to take charge of your cloud security? The Orca Cloud Security Platform offers comprehensive visibility into your cloud environment, providing prioritized alerts for vulnerabilities, misconfigurations, compromises and other potential threats across your entire inventory of cloud accounts. To get started, request a demo of the Orca cloud-security platform or sign up for a free cloud risk assessment today.
- Enabling DevSecOps: Meet the Orca GitHub App
- Going from Ideas to Reality: Implementing Your Cloud Security Strategy
- The Top Cloud Security Trends to Watch in 2023