
Ask HN: DevOps folks, how much time do you spend on security vs. compliance? - dpenguin
I keep hearing from some DevOps leaders that compliance is a pain in the behind and they spend an inordinate amount of time on compliance certifications. Would like to hear more viewpoints.
======
ptcrash
I wear both a DevSecOps and a System Architect hat at work so take my
experience with a grain of salt.

I spend maybe half of my time working alongside developers to define security
controls that need to be added, verifying they were implemented, and testing
production. I do this because I realized when reading _The Phoenix Project_
that the only way for security to be taken seriously by a company, I have to
have an integral hand in the SDLC. Ironically enough, by defining the security
controls that must be put into scope this early in the process, I also am able
to make sure our software maintains compliance. This experience will be very
different for a company that has more technical debt then we do, keep in mind.

I spend maybe 10% of my time on compliance. However, this is because we've
already achieved our benchmarks; I only focus on determining violations,
remediation, and making sure the company is ready for the next audit. Like I
said, we have little technical debt and I work tirelessly to make sure
security controls have been identified before the scrum starts. Back when I
was working to get us to this point, I spent perhaps 90% of my time learning
about the compliance benchmarks we needed to achieve and when needed to happen
for us to get there.

------
verdverm
I work with companies < 50 people and do not hear this. Most of them are first
looking for stability and velocity, then security.

Where I do see compliance come up is from customer demand or niche
applications (healthcare). Even so, compliance is more about people and paper
than technology, so yeah it takes longer, it's bureaucracy!

