This article exploring the relationship between digital transformation and security starts by noting that, historically, when digital transformation took hold within organizations as they adopted agile practices and DevOps, “security considerations were left behind”. I have a different take. I’d argue that security considerations were being ineffectively addressed from the outside, rather than the inside. The realizations that came with such methodologies (shifting left, you build it / you run it) grew from the narrow focus on development and it’s direct dependencies of infrastructure and delivery. However, the discipline of security was not viewed as a critical dependency, and it was siloed from this upswell. Security was classically seen as a drag on the business whose sights were now set on speed. This rift is what bred the operational dysfunction that allowed many breaches to occur.
The author details the necessity and challenges for security teams to transform to better align with the business. And comically, how security can move from the “Office of No” to a pattern of secure enablement. As I like to say, security does not exist for its own sake — it exists to support the business. If security is needlessly suppressing business innovation and revenue opportunities in the process, security has fundamentally failed.
I completely agree with the premise that security teams need to transform in ways that allow them to adopt the mantras of “agility, flexibility and rapid decision-making,” but this certainly isn’t easy. While DevOps teams can fail-fast with their development and innovation processes, failing with security is simply not an option.