There is no question about it, DevOps is coming to the forefront in enterprise. A 2014 survey from Rackspace found that 79 percent of those they surveyed plan to implement DevOps practices or approaches by the end of 2015. Meaning, most shops now are DevOps shops. For ISACA members, this can have a significant impact—security, assurance, risk, and governance impacts aplenty.
Security pros will need to understand how DevOps can impact existing security controls; some controls (automated static or dynamic application security testing controls—or even manual code reviews) may need to be adjusted in light of faster release cycles and new tools. There might also be hidden security advantages as the transition takes place. As tools like Puppet, Chef, Salt, and others allow them to better meet historical challenges: for example, by leveraging those tools to perform security hygiene tasks (e.g. patching, automated configuration validation, etc.).
Assurance pros likewise will need to understand the impacts of DevOps as it directly impacts them as well. In many DevOps shops, developers can affect changes to the production environment through the use of automated tools. To understand whether this undermines important goals like segregation of duties, assessors will need to understand the deployment model. Is segmentation of duties undermined? Or, is it improved by virtue of automated (and thereby non-repudiable) recordkeeping? The answer will depend on implementation, which is why it is important that practitioners know what questions to ask.
Risk professionals will need to understand how their organization’s overall risk equation is impacted by the move too: there might be new technical risks that arise and other existing ones that are mitigated. There are business risks to consider as well, like what the potential impact on competitiveness our organization should not adopt while the competitors do.
Lastly, there is an impact on governance. Folks who are responsible for overseeing the IT governance program for their organization will need to consider how existing governance structures will extend into DevOps processes and tools. How will DevOps impact those structures and what artifacts (like organizational policy) might need to change as a result?
The point is there are quite a few potential changes on the horizon that will impact all of the disciplines and professional areas that ISACA members inhabit. In order to help those practitioners navigate these potentially-complicated waters, ISACA has released a new whitepaper: DevOps Practitioner Considerations. This guide examines the impacts that DevOps can have on different practitioner communities and explores what those practitioners might choose to do in response.
As organizations start to more frequently move to DevOps, it becomes increasingly important that the “DevOps way” be understood by those with a stake in ensuring trust and value in information systems. Those who do not keep pace might find themselves unequipped to ensure the mission of their organization is protected. Those that adapt may find themselves able to use DevOps concepts to do their jobs even better.
Director of Emerging Business and Technology at ISACA