Telecom Pioneer Prioritizes DevSecOps Following an Agile Transformation

Laying the foundation

The company’s adherence to leading industry security standards above and beyond local regulation is evidence of its focus on security. They have an international team of over 800 employees focused on constantly monitoring, protecting, and defending their systems and their customers’ data.

Once the company identified the need for DevSecOps, the Cyber Security team reached out to the coaches and consultants assisting with their ongoing Agile transformation to discuss how to best pursue DevSecOps. The Cyber team leads the organization’s detection, response, and recovery efforts. Thus, they provided an excellent environment for a pilot program that would work for scaling to other teams.

One executive sponsor from the company noted, “As we got further along in the Agile transformation, we noticed a lot of teams implementing DevOps in various ways and at different levels of maturity. What was consistent, though, was that they were only considering security at the very end of the process. So, a batch of code might have gone through the entire planning, development and deployment phases, but then it would need to go through the security team’s testing process. This tended to create bottlenecks and rework.”

Security is such an integral part of what the company does. But the fact that it was last in line just didn’t make sense. It became clear that the security element needed to move earlier in the workflow. Without this, the teams wouldn’t be able to enjoy the benefits that DevOps should have been providing for them.

The executive sponsor wanted to build on the foundation of practice that was already forming as the Agile transformation progressed. So she turned to Cprime Lean Agile Coach Farooq Mohammed to help establish a DevSecOps mindset in the Cyber teams.

Steps to success

“The first thing we needed,” the executive sponsor said, “was for each team to include at least one person who was knowledgeable about and dedicated to security. We called these individuals Security Champions, and we worked hard to recruit them throughout the Cyber teams.

The goal here was to ensure that they consider security concerns as early in the development process as possible. DevOps facilitates collaboration between development and operations disciplines to speed the development process and improve quality. Including cyber security considerations is a natural component to include. That way, they could identify and address security concerns earlier in the process.

Likewise, automation in the security testing and scanning process allows for robust security monitoring. And, it mitigates the bottlenecks created when waiting until a batch is ready for release to scan it for security issues.

These new Security Champions met together routinely to share ideas and identify best practices. They also worked diligently to get buy-in from their teams and stakeholders in leadership roles. This proved invaluable as the program scaled.

The executive sponsor recalled, “One of the tools we used was a monthly ‘Hack-a-thon’ where we encouraged participants to try to break our code and help us identify security vulnerabilities. Then, those who participated and showed a real passion for the work became our new Security Champions. This ensured security remained top-of-mind, and we knew we had the right people embedded in teams to support what we were trying to achieve with DevSecOps.”

A security-focused development culture

As the practice matured, the company created a knowledge repository for security-related information. They also included a means by which anyone could report potential issues.

Mohammed noted, “After a while, we began hearing from other departments about potential security issues they had identified. That’s when we knew we’d succeeded in creating a security-focused development culture.”

Outcomes

The automated tools collecting data for analysis are still relatively newly installed across the company’s Cyber team workflows. This means that concrete metrics are not yet available. However, anecdotal evidence already shows a clear positive impact of this move toward DevSecOps.

Knowledge sharing increased dramatically, and everyone was working together.

“We’ve established a more concrete learning path,” the executive sponsor said, “so members of the teams who are interested in upskilling and diving deeper into security have the tools and opportunities they need to do so.”

The executive sponsor also noted that embedding Security Champions within the teams significantly smoothed the deployment and release processes. As more automated security testing and monitoring are implemented in the coming months, the speed and efficiency of the development process will only improve.

If you would like similar results for your organization, reach out to a Cprime DevSecOps expert.

Want to share with a colleague? Download the PDF