Adopting IT Risk Management within your DevOps model using the CAMS values
The DevOps operating model has been gaining traction over the past 10 years as organizations adopt agile ways of working. DevOps significantly improves the speed of delivery and issues are resolved much faster. So what is DevOps? To simplify things, it’s the fusion of the development and operations team. Let me elaborate. Traditionally, the team of developers would work separately or in isolation from the team of system administrators and database administrators that maintain and support systems. More often than not, these two teams end up working in silos and they don’t understand each others work. The DevOps operating model strives to build teams that maintain good relationships between the developers and system/ database engineering (operations). They collaborate and work closely together. One my favorite adoption of DevOps is the site reliability engineering methodology.
Damon Edwards and John Willis are the brains behind the DevOps core values: CAMS. CAMS is an acronym that stands for Culture, Automation, Measurement and Sharing. These values are widely adopted and applied in the DevOps world. In the quest for speed and agility, risk management often becomes an afterthought or in some cases, seen as a show stopper. This article is about how to use the CAMS values to adopt and incorporate sound risk management practices within your DevOps environment.
1. Culture
Building a risk aware culture can derive your organisation various benefits. Incorporate risk management considerations in your ways of working and this can help you to build better and stronger processes and systems. What I mean here is, before you even write a line of code, think about what could go wrong as you brainstorm your solution. Agile is often equated with speed of delivery or first to market. But, what actually matters? I believe it should be about being first to market in a secured and controlled manner. Embracing a risk aware culture helps to pinpoint risks and implement appropriate controls from the on set. Building a culture requires management to be open minded and able to embrace change. Nothing is ever cast in stone.
2. Automation
When it comes to automation, we often talk about automating your continuous integration and continuous delivery (CI/CD) pipelines. Consider the risks posed by the various tools used within the CI/CD pipeline such as the risks posed by unauthorised access or unauthorised changes. Where applicable, embed automated SoD checks to require additional approvals before code is pushed to production. Think about automating the access provisioning and de-provisioning controls to ensure that access rights are commensurate with specified job duties and access rights are revoked in a timely manner when no longer required. One can also incorporate and automate vulnerability and security scans during the build process: Hello DevSecOps.
3. Measurement
How can we apply Kaizen, the Japanese concept for continuous improvement to risk management? Risk management seeks to continuously improve business processes. Be open to learning from mistakes. Don’t we all learn from failing? As a process or control owner, embrace your risk management, internal audit and external audit teams. It always helpful to have a second pair of eyes look at your processes. Track, monitor and analyse your processes and ensure that exceptions and mistakes are remediated in a timely manner. I think of this as, what can I do to ensure that this doesn’t happen again?
4. Sharing
Hiding and shying away from issues just delays the inevitable. Promote a culture of openness, open communication and collaboration. Share learnings, experiences and openly bounce ideas off one another.
What could go wrong if we do like this? or In your experience, how can we cover x?
Build a bridge over the trenches of the “lines of defense”. Collaborate openly to address the risks within your environment. I believe that risk management should be a forward looking activity. Always remember that the goal is meeting your company’s mission and vision as you innovate.
Risk management is an important part of your lean and agile ways of working. Building a risk aware culture alleviates many challenges as risk considerations are factored and incorporated in your pipelines from the on set. Culture plays a vital role in adopting the right mindset towards risk management. Share and bounce ideas of one another. Invite your risk or internal audit teams to your brainstorming sessions and be open minded towards embracing and adopting different perspectives. I believe that in as much as we approach things from a different angle due to our varying roles and responsibilities, at the end of the day, we are all chasing one goal. That is seeing the organization realize it’s mission, vision and strategy objectives.
