Any advice for leaders who are looking to adopt DevSecOps but getting resistance from the org or dev teams? How can you overcome that pushback?

5.9k views8 Comments

Sort by:

Senior VP & CISO2 years ago

agree with Mary - it starts with the tone at the top. Also helpful to get security measures into dev team goals.

CISO in Finance (non-banking)2 years ago

It starts at the top. You need to get your development leadership involved so there is a unified message of importance. Identifying those on the development team who can become Security Champions can also help. There is a lot of information available on the web to help you develop a security champions program. Something that helped us was to include our developers in testing/choosing tools that were going to be used for the addition of security to DevOps.

Principle Consultant in IT Services2 years ago

Work with the development leadership on developing a secure software development lifecycle policy. Work on the approach of crawl, walk, run.

CIO2 years ago

It's all about getting a clear DevSecOps strategy defined and agreed upon with all the key stakeholders. The problem comes when the vision is not understood, and/or when the R&R is not well defined. I wrote a detailed LinkedIn article at the back of a strategic DevOps transformation that I led at my previous organization. Sharing the link here if it can be of any help: https://www.linkedin.com/pulse/devops-vision-strategy-sample-blueprint-large-sumeet-goenka/

CISO in Insurance (except health)2 years ago

The lessons that I have learned over the years are:
1. The security team must have development skill and practical experience to speak the same language as the development team and to establish trust.
2. Developers must lead the initiative showing buy in to the rest of the development teams.
3. The development manager must believe in and support the project.

1 1 Reply

no title2 years ago

I will echo your lessons. Having lead product development and IT teams, if you want prod dev to be involved, you have to get them on board at all levels of the organization. Part of doing that is a preexisting respect of the security team, which means that teams needs to be developers in their own right and speak the same language.

Content you might like

As a new-to-role CISO, I am wondering how do you make RACI look better than it looks `on-paper` in your company? What I am specifically looking for is, ways of fostering real collaboration and reaching to consensus between oldies and newcomers in their roles.

How long does your organization retain original systems logs used to filter SOX-related actions into a system that requires review of the logs and retains the filtered logs for seven years? Does your organization consider those original system logs records subject to record retention requirements, or supporting information used to create the SOX records?

90 Days10%

365 Days52%

3 years29%

5 years5%

7 years5%

Other (share in the comments)

View Results

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

Why do you think there are so few mature AI-driven autonomous pentesting solutions on the market, and why does this topic seem to generate more hype than in-depth technical discussion?

How would you prioritize adding native vector search capabilities directly to core MySQL storage engines (e.g., InnoDB)?

Note: This poll is specifically about vector search as a general-purpose feature in the core database, separate from specialized analytics engines like MySQL HeatWave.

High Priority: This is a critical need. We want to run AI/vector workloads on our primary transactional data without relying on a separate database or a specialized analytics add-on.

Medium Priority: This would be a valuable feature for future projects. It would allow us to innovate on our core database, but it's not an immediate requirement.71%

Low Priority: This is a nice-to-have, but not essential. Our primary focus for MySQL remains on its traditional OLTP performance and stability.

Not a Priority: This is not a good fit for MySQL. We believe vector workloads are fundamentally different and are best handled by a dedicated system, keeping our core MySQL lean.29%

Unsure / Need More Information: We are not yet clear on the performance, security, or operational impact of integrating this capability into our core transactional engine.

View Results

Any advice for leaders who are looking to adopt DevSecOps but getting resistance from the org or dev teams? How can you overcome that pushback?

Sort by:

Content you might like

As a new-to-role CISO, I am wondering how do you make RACI look better than it looks `on-paper` in your company? What I am specifically looking for is, ways of fostering real collaboration and reaching to consensus between oldies and newcomers in their roles.

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

Why do you think there are so few mature AI-driven autonomous pentesting solutions on the market, and why does this topic seem to generate more hype than in-depth technical discussion?

How would you prioritize adding native vector search capabilities directly to core MySQL storage engines (e.g., InnoDB)?

Note: This poll is specifically about vector search as a general-purpose feature in the core database, separate from specialized analytics engines like MySQL HeatWave.

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

CrowdStrike Outage: Impact And Recovery

2024 Software Engineering Priorities and Challenges

Improving Software Developer Experience

Current State of Software Developer Experience

Emerging Software Security Risks: How Are Tech Leaders Preparing for 2024?

Take Your Insights On-the-Go

Any advice for leaders who are looking to adopt DevSecOps but getting resistance from the org or dev teams? How can you overcome that pushback?

Sort by:

Content you might like

As a new-to-role CISO, I am wondering how do you make RACI look better than it looks `on-paper` in your company? What I am specifically looking for is, ways of fostering real collaboration and reaching to consensus between oldies and newcomers in their roles.

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

Why do you think there are so few mature AI-driven autonomous pentesting solutions on the market, and why does this topic seem to generate more hype than in-depth technical discussion?

How would you prioritize adding native vector search capabilities directly to core MySQL storage engines (e.g., InnoDB)?Note: This poll is specifically about vector search as a general-purpose feature in the core database, separate from specialized analytics engines like MySQL HeatWave.

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

CrowdStrike Outage: Impact And Recovery

2024 Software Engineering Priorities and Challenges

Improving Software Developer Experience

Current State of Software Developer Experience

Emerging Software Security Risks: How Are Tech Leaders Preparing for 2024?

Take Your Insights On-the-Go

How would you prioritize adding native vector search capabilities directly to core MySQL storage engines (e.g., InnoDB)?

Note: This poll is specifically about vector search as a general-purpose feature in the core database, separate from specialized analytics engines like MySQL HeatWave.