Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Security as a Product - a Coordination Game between DevOps and InfoSec

Security as a Product - a Coordination Game between DevOps and InfoSec

This item in japanese

In a recent blog post Kelly Shortridge, a product and strategy expert in information security, reflected on how security should be treated as a product. Using concepts from game theory and moral hazard, Shortridge examined the relationship between DevOps and information security to assert that it is a cooperative game with similar goals when presented as complementary than conflicting.

While many people talk about the DevOps pipeline and its impact on development and operations, there’s also an impact on other functions. For example, human resources doing the right hiring, sales doing the right pitch, or marketing obtaining feedback whether customers like the outcomes or not. According to IDC, DevSecOps will drive at least 50% of new applications in Asia-Pacific by 2024.

With such background, security should form the base throughout the organization and product development lifecycle, considering the consequences are costly. As roles and responsibilities of development and security teams are changing with DevSecOps, Shortridge emphasized on creating clear joint goals in order to form a distinct team identity.

Emphasizing the "we thinking" mindset, Shortridge referenced team reasoning as a more accurate theoretical framework that facilitates intentional cooperation. By creating salient joint goals and making the rewards for those goals public, team reasoning builds a foundation for success with this coordination game. Comparing outcome accountability and process accountability, she suggests a hybrid of both. This will boost collective knowledge and adaptive expertise. According to the 2020 DevSecOps Community Survey conducted by Sonatype, happy developers are 3.6 times more likely to pay attention to security.

Shortridge mentioned that it is important to look at the communication structure of the goals. This includes messages emphasizing the conflicting nature of goals and self-affirmation, self-reflection on values. Ordering of goals also plays an important part, which is achieved by highlighting objective information about a goal and confining its importance to each goal. Organizations with mature DevOps practices have more security tools and they're more integrated in all environments.

Information Security should form a coalition with DevOps. From her research, Shortridge found that there was no single organization where DevOps and InfoSec guidelines were documented/codified for how they should interact with each other.

Illustrating the concept of game theory, Shortridge stated that DevOps and InfoSec is a coordination game with information asymmetry. Information is at the heart of strategic interactions. Information asymmetry exists when there is unequal knowledge between each side of these interactions. To form such an alliance between these two teams, the organization can act as an external enforcer for coordination.

Looking into the causes of coordination failures she pointed out that there is an ambiguity in the objectives of these teams leading to friction between them. To address this, support is required to align the preferences. This expands the collective reward of cooperation.

Building upon the evidence that humans are far more cooperative in nature, Shortridge explained moral hazard. In moral hazard, individuals can take risks because they are protected from risk and do not have to bear the consequences of their actions. Using an analogy in insurance, she illustrated how there is a potential for moral hazard due to the team structure at most organizations. For instance, DevOps can increase their exposure to security-related risk because they are not held accountable for it. InfoSec can also increase risk exposure by creating policies or implementing tools that add risk to their teammate's workflows.

Investigating relations with moral hazard, Shortridge explained conflicting goals. It is when achieving one goal prohibits or discourages the achievement of another goal. Individuals with conflicting goals focus on potential gains and perceive fewer risks when making decisions for others rather than themselves.

Looking at the source of conflicting goals, she highlighted that having multiple goals poses a challenge. To achieve goals sequentially or concurrently, there are benefits and downsides which lean towards evaluating solutions that can help both InfoSec and DevOps.

Rate this Article