The value of BizDevSecOps for developers

Gregg Ostrowski serves as the Executive CTO at AppDynamics, part of Cisco. In this Q&A, he goes in-depth on the value of BizDevSecOps for developers, including how it helps break down silos and build bridges among business, security, developer, and operations teams. Gregg highlights how the framework evolved from DevOps and DevSecOps, as well as why it is important in the context of rapid change across a range of industries. He provides best practices for leaders who want to implement BizDevSecOps in their own organizations to keep up with the ever-increasing rate of digital transformation, now and in the future.

ADM: What is BizDevSecOps?

Ostrowski: Over time, DevOps has evolved to DevSecOps and now we have BizDevSecOps. When it comes to developing an application with BizDevSecOps, business goals and security are incorporated from the start and treated with the same importance as development and operations. By setting a business goal at the beginning, all the teams have a common target to achieve compared to goals set in their immediate area of responsibility.

The value of BizDevSecOps for developers

As a framework, BizDevSecOps considers how an application affects the end-user and how it accomplishes the business goal it was created for. BizDevSecOps prioritizes security just as much as it emphasizes efficient deployment and seamless performance. I believe BizDevSecOps is the future for developers who want to create modern applications for a current workforce, and I predict you’ll be hearing about this concept much more in the years to come.

ADM: How is it different from DevOps or DevSecOps?

Ostrowski: BizDevSecOps is different because it incorporates a business context that has been overlooked for so long within organizations of various sizes and within multiple industries. Rather than assuming the inclusion of security or business goals within an overarching DevOps framework, BizDevSecOps distinguishes and incorporates the element of the business and sets the related goals at the same level as the other components of DevSecOps.

By doing this, you set the priority of business goals as high as the performance and security of the application. BizDevSecOps lets your teams know that you are prioritizing user experience, which in today’s ever-digital world is crucial to every organization’s success.

With user experience being so critical as a vehicle for success, BizDevSecOps gives everyone a seat at the table. Security has the opportunity to shine also, by helping drive innovation with the latest security advancements that help drive user experience.

Security teams can now become an enabler of innovation as opposed to slowing down the process.

While this addition may seem simple, it can be quite complicated. When teams continue to operate in long-standing silos, it can be easy to lose sight of the overarching goal of the project or how it ties into another team’s efforts. For example, a security team will only be focused on the security of the application but may create a user experience issue later on if the business team is kept out of the loop with the information they know is most important to end-users. Making the move to a BizDevSecOps will require a cultural shift within the organization and the right tools need to be in place to achieve a working model, however, the organizations looking to win will thrive when all teams are working in unison.

This does not, however, mean that business teams are superior to those who work on security, development, or operations. BizDevSecOps instead shows that all these teams need each other and all have a vested interest in creating the best applications possible.

ADM: Why is it important for application developers?

Ostrowski: When bugs or anomalies appear in applications, developers are often the first to be blamed for the issue because they are so close to the code. This is only intensified with the increase in pressure to perform in digital transformations and amongst the competition. With how prevalent silos can be within teams across industries, developers can get stuck in the dark with no context to help them assist their organizations.

By connecting application development with business context, your teams can create better applications and ensure better collaboration from the start. It has a cascading effect, if you can implement this process from the beginning, it will make each step in the application lifecycle more seamless and efficient, all the way to the end-user.

Application developers also need to be made aware of the latest security advancements from the start, collaboration with the security team shortens the learning curve and shows true innovation focusing on user experience.

ADM: How can organizations implement BizDevSecOps?

Ostrowski: It has to start with a company culture shift. All company leaders need to buy into an organization's shift toward breaking down silos that prevent communication between teams. It’s up to leaders and managers within security, business, and developer teams to come together and set their teams up to collaborate. From there, the communication tools can vary, but there needs to be openness and willingness to share information and responsibility.

Having the proper observability tools is also a key step to implementing BizDevSecOps. Not to be understated, without the proper tooling, measuring success will be extremely challenging. Business leaders need to set aside budgets to include proper tooling and observability as key requirements for success.

There’s no more room for pointing fingers and blaming other teams when things go wrong. You have to adopt a "we’re all in this together" mentality so that when it comes to the final product, everyone feels a sense of ownership of their work.

ADM: How does BizDevSecOps tie into Observability?

Ostrowski: The fit between BizDevSecOps and observability is very natural because both have the same goal. BizDevSecOps creates secure, well-performing, and efficient applications. However, observability takes it a step further into the actual functioning and performance of the application as it's related to the business objective. Furthermore, observability demands effective monitoring and provides context for any bugs, anomalies, or other issues.

It is great to be able to monitor your application and catch anomalies, but without the context of the business or organization’s goals, you’re just trying to find a “needle in a needlestack.” With the understanding of the business goal, technology teams also have the context on how to prioritize what to fix first when multiple issues arise. Observability, specifically full-stack observability through the lens of the business, gives IT information on why a certain anomaly or fault occurred and provides the tools needed to find a solution. If developer teams receive effective communication,  applications are better-performing, more secure, have fewer issues, and ultimately give the end-user the best possible experience.

ADM: How has the pandemic changed the role of developers/technologists?

Ostrowski: The pressure on developers and IT teams has grown immensely since the start of the pandemic, and I believe the pandemic accelerated processes that were already in motion. In a recent AppDynamics report that surveyed more than 1,000 IT professionals worldwide, we found that the pandemic forced a 3X acceleration of digital transformation projects. Furthermore, 66% of technologists said they do not have the resources and support they need to manage increasing complexity and data sprawl, leading to greater stress and negative consequences within the workplace and in personal spheres.

The pandemic put a spotlight on IT teams that had to adapt and shift in a rapidly accelerating world. The spotlight on them grew immensely as numerous organizations shifted to hybrid cloud and cloud models and away from legacy systems.

This shift isn’t limited to IT teams, however. IT is incredibly important, but so are the developers who create the applications that then need to be monitored and managed. Because of these accelerations, developers have also felt the push to work faster and produce more. BizDevSecOps creates a collaborative environment that alleviates this pressure, laying the groundwork for full-stack observability that can bring relief to many technologists and developers.

ADM: How will BizDevSecOps affect developers going forward?

Ostrowski: BizDevSecOps is going to give developers the tools they need to be able to work in tandem with security, operations, and business leadership teams. BizDevSecOps breaks down the walls between silos and allows developers to better communicate with other teams that contribute to the creation and deployment of an application and therefore helps ease tension and pressure that comes with the bright spotlight they’ve been put under during the pandemic.

I really see BizDevSecOps, and by extension, full-stack observability, as the future of the enterprise technology industry. This is evident by how many vendors are now entering the observability space and how many leaders are taking steps to implement it within their organizations. We have been preparing and adapting to this for some time now.

Going forward, I think it will be imperative for organizations to use this framework for application development to keep up with the ever-increasing rate of digital transformation.

Gregg Ostrowski, Executive CTO, AppDynamics

Gregg is a senior executive and thought leader with over 25 years of experience. In leadership positions for technology companies including Research in Motion and Samsung, Gregg was responsible for Enterprise Services, Enterprise Developer Relations, Sales Engineering, and Ecosystem development. He has worked with many F1000 customers, government agencies, and partners on digital transformation, mobility application deployments, DevOps strategies, analytics, and high-ROI business solutions.