Each business’s cyber security department must implement a unique DevSecOps gameplan specific to the industry in which they exist. For example, a team working to install software at Yankee Stadium will face factors which cause them to approach their operations differently than a team working for a network of department stores.

 A key factor in determining the correct gameplan is whether the industry in which the DevSecOps team exists experiences strict government regulations. Specific regulations may help inform a C-suite executives’ priorities and their willingness to buy into DevSecOps recommendations.

Identifying Obstacles in a Regulated Space

 Rohit Parchuri, Chief Information Security Officer at Yext, addresses this “regulated vs unregulated” discussion during the latest episode of The Secure Developer podcast. Parchuri, a former DevSecOps leader in the healthcare industry, said a regulated space like healthcare requires work from the “inside out.” 

For regulated industries, Parchuri says “you’re not delivering a lot of features or security enhancements, but you are managing your vendors and partners a little bit more than you would on the product side of the house.” He pointed to the Protected Healthcare Information (PHI) within a healthcare space and the antiquated systems in which they usually exist. The lift it takes to convert that information out of the old system — and the vendors desire to continue using that system — is a major difference compared to a product facing operation which doesn’t have the same regulatory rigor. (Hear Parchuri expand on this topic at the 6:11 mark of the podcast.)

While DevSecOps in regulated and unregulated spaces operate differently, there are best practices that apply across both disciplines. Selecting the correct framework, fostering a collaborative team culture, and recruiting the right personnel for the job are all components of an ideal development security team.

For more on cyber security in regulated vs. unregulated spaces and tips for building your DevSecOps team, check out Ep. 104 of The Secure Developer podcast, “Implementing DevSecOps in Regulated vs Unregulated Industries.”