Debunking The Myth Of Security Versus Speed To Market

More than ever, speed is of the essence in business, with time to market becoming a top priority for companies looking to maintain a competitive advantage. Once-foreign terms like DevOps have entered the lexicon of C-suites and executive teams that see the need to put new software — the lifeblood of modern business — into operation as quickly as possible.

Regulated organizations, however, face a unique challenge. Their operating model is governed more heavily by issues such as security, privacy and compliance, with regular audits adding teeth to those concerns. A breach or major software vulnerability at a company in a regulated industry (e.g., financial services, energy, healthcare, motor vehicles or air transportation) could prompt regulators to put major products or even whole businesses on hold while handing down severe penalties. The Federal Trade Commission, for instance, reached a $575 million settlement (which could go up to $700 million) with Equifax last year over the credit reporting company’s 2017 data breach.

Those organizations can’t release new software multiple times a day without the appropriate guardrails. Yes, regulated companies need to improve time to market for new software, but they must balance that speed with an equal focus on security, privacy and compliance. They can start by improving how they meet their risk management requirements in a software development environment that is increasingly adopting the Agile and DevOps methodologies of automated testing and continuous integration and delivery. Some of the drag on development comes from the necessary focus on governance, risk management and compliance (GRC).

A GRC-focused effort combines elements like security, enterprise risk management, corporate governance and compliance. But although the concept of GRC is to coordinate those elements, in practice, the teams performing those functions often operate separately, outside of software development workflows. A security team, for instance, has little incentive to speed up software development; they’re more interested in assessing risk across the enterprise. Other teams, such as privacy and risk management, can overlap, resulting in duplicate processes that further slow development.

Even if regulated industries can’t entirely adopt the model of rapid and continuous software delivery, they can still apply collaborative DevOps principles with regard to security. Many practitioners of DevOps are moving to DevSecOps, which incorporates security tools and testing from the start and keeps security as a part of its continuous, automated processes.

Collaboration is essential to the process. Policies and compliance regulations notwithstanding, shipping software quickly is still critical, so organizations need to make it a priority not just for the people who build it, but also for the teams that play a role in its development. If a legal office or marketing team will have an impact on development, it’s best that they be involved early.

It starts with leadership. Lines of business, technology leadership and risk management need to align on a shared philosophy of balanced development automation — prioritizing the delivery of business value as quickly as possible while staying within the organization’s risk appetite. In the software development process, security and compliance considerations need to be introduced early and embedded throughout the process. Developers should be sure to integrate security and compliance tooling, make use of open-source components and consult with other teams throughout the testing, analysis, compliance monitoring and change management process.

In a business world where time to market is becoming increasingly important, regulated industries may feel somewhat trapped, with one foot on the high-speed development train and the other still planted on a platform made of security, privacy and compliance issues. Incorporating security and privacy from the start in a DevOps software development process through intentional, technology-supported balanced development would help get everything moving in the same direction at the same time.