New Operating Model: Balancing Business Speed With Risk

DevOps speed and security risk

Recently, there was an interesting article in The Wall Street Journal around Deloitte’s new tech operating model. The article confirms a lot of what we are experiencing as we interact with business and security practitioners across various industries. We are in an era where business value creation involves multiple teams and business units. The backdrop of this is to provide the business with the needed agility to operate confidently.

The ability to quickly align with changing business priorities implies the need for a service model that can easily be reused in multiple business contexts. 

The need for a sound operating model hasn’t changed. What has shifted, however, are the business drivers. This is best explained by taking a closer look at the new business operating model.

The need for balance between delivery speed and risk

There's a shift in the industry right now about how business operating models need to enable both delivery speed as well as risk management. 

In the past, the focus was on speed to market as a means of achieving a competitive advantage. We often heard about DevOps and rapid delivery cycles. Unfortunately, security gaps became quite common in application development. In the exclusive pursuit of delivery speed, we were rapidly introducing more and more security risks with each deployment. The reactive response was, “we’ll fix it later” which never materialized. Remediation costs of software vulnerabilities are always more expensive compared to releasing additional features. 

Fast forward to today and you can see how business operations are now intimately tied to security risk. 

We see this with executive accountability for cybersecurity. Auditors and assessors are becoming more security savvy and have pointed questions about security. It is reaching a point where some large companies will only work with a supply chain that builds security into their software. We have to be careful here not to let the pendulum swing too far to the other extreme. Too many security controls can hinder business agility and speed to market. 

Clearly we need a balanced approach between speed and risk. It’s not that the information or metrics around these areas are not already being generated. Rather, it is the fact that this information is not easily shared across all stakeholders. That means decisions get made in silos which adds additional time to the delivery cycle.

Elements of the new operating model

Achieving both speed and software security implies a certain operating model to achieve that goal: 

  1. Aligning business strategy and security integration

    • Involving multiple business and IT stakeholders at the table and working on the right priorities.

    • Agreeing upon program initiatives with embedded security and a cadence that meets business priorities.

    • Identifying key resources, technology automation, and facilitating human collaboration are all set up to provide the right delivery and risk metrics on a continual basis for business units, IT, security, risk, audit, and legal teams.

  1. Developing the right security capabilities to support business agility

    • Focusing your service offering on project delivery, security training, and providing the right information to business and IT stakeholders at the right time for an informed decision.

    • Ramping up security through third-party augmentation based on acceptable risk. The risk analysis would involve a go/no-go decision on a particular technical competency for business enablement.

  1. Constructing the right security governance processes as guardrails for speed of delivery

    • Focusing on key operating value streams like strategy to portfolio, requirements to delivery, support, and detection to correction.

    • Integrating with key business units, vendors, and contractors to achieve both speed while managing security risk.

  1. Focusing technology and infrastructure on business value delivery

    • Using lean thinking to execute the most efficient way for continuous value to the business.

    • Using Balanced Development Automation platforms to integrate business, security, development, and operations controls.

Conclusion

Having a sound operating model is essential to delivering value. 

These models need to adeptly map to business priorities at multiple levels: strategic, tactical, and governance. It's important to bring into consideration how you can manage legacy operating models by either evolving them to suit today’s rapidly changing business models, or construct entirely new models that add new capabilities for increased competitiveness.

In case you want to learn more about this new operating model, you can listen to our webinar on balancing DevOps speed with risk.

About the Author

Altaz Valani

Altaz is the Director of Insights Research and is responsible for managing the overall research vision at Security Compass. Prior to joining SC, he had served as a Senior Research Director and Executive Advisor at Info-Tech Research Group, Senior Manager at KPMG, as well as held various positions working alongside senior stakeholders to drive business value through software development. Valani is on the SAFECode Technical Leadership Council, CIO Strategy Council, the Open Group, and also contributes to several IEEE working groups.

More Content by Altaz Valani
Previous Article
Scenario Planning to Manage Security in DevSecOps
Scenario Planning to Manage Security in DevSecOps

One of the biggest challenges that remain in DevSecOps today is alignment between teams. Read how scenario ...

Next Article
Bridging the Cybersecurity Talent Gap With Automation
Bridging the Cybersecurity Talent Gap With Automation

Considering the current talent shortage, the cybersecurity workforce needs to grow by 145 percent as per re...