Delhi, 29th August 2025: Across industries, there is a growing realization that security, risk management, and resilience cannot remain checkbox exercises tied only to audits or certifications. Strict frameworks undoubtedly provide a strong foundation, but the real advantage comes when organizations embed their principles into day-to-day practices. By doing so, teams not only prepare for eventual certification but also build a culture of vigilance and adaptability that strengthens long-term business continuity.
Join us in this candid conversation between Mr. Marquis Fernandes, (Director India Business at Quantic India) and Mr. Biswajit Sen who is the Director – Risk and Cyber Security at LTIMindtree. Mr. Biswajit reflects on his experience, highlights how small, consistent habits can accelerate this alignment. He points to the value of empowering dedicated security champions within teams, ensuring the right tools are chosen for accurate and actionable insights, and integrating testing early in the development lifecycle to identify risks before they escalate. Importantly, he stresses that not all risks are obvious. Dependencies on third-party components, gaps in behavioural readiness, and the lack of redundancy in critical roles often go unnoticed until they create significant disruption.
Given your experience with ISO 31000, 27001, and 22301, what practical certification-aligned habits can DevSec teams adopt even before formal compliance?
To foster early alignment with ISO 31000, 27001, and 22301 standards, DevSec teams can adopt practical habits and best practice that embed security and risk awareness into their daily workflows, well before formal certification begins. These habits focus on building a culture of continuous learning, selecting tools that match compliance needs, integrating proactive testing into development cycles, and applying risk-based prioritization to remediation efforts. The following practices offer a structured approach to embedding these principles effectively.
- Building Awareness: Develop a role-based security and awareness training program for the DevSec team. Share periodic updates, such as mailers and flyers, highlighting relevant industry and domain-specific awareness tips & incident details. Identify and empower key roles like a Risk/Security Champion to lead internal awareness efforts. Request budget allocation for training and certification, and create individual skill development plans to foster high performance and result.
- Select the Right Tools: Understand your compliance requirements and choose security tools that align with them. Tools should be accurate, minimize false positives, operate efficiently in real-time, and include support contracts that provide timely security intelligence.
- Shift Left with Testing: Early risk identification during the SDLC lifecycle is crucial success factor. The cost of remediation increases significantly as development progresses, so proactive testing and remediation is essential.
- Prioritize Risk Remediation: Not all risks require immediate action. Focus on high-impact issues, and create a prioritized remediation list. Accept certain risks based on your organization’s risk appetite to maintain cost-effectiveness.
You’ve implemented enterprise-wide risk management frameworks, what are three non-obvious risk indicators you believe DevOps teams often overlook?
DevOps teams operate in fast-paced environments where traditional risk indicators may not capture emerging vulnerabilities. Beyond the obvious metrics, there are subtle but widespread risks that can undermine security, GRC and delivery objective. The following three indicators are often overlooked but critical to enterprise-wide risk management.
- Inadequate Software Composition Analysis (SCA): Modern applications heavily rely on third-party components, libraries, and API integrations. Traditional SAST/DAST tools often fail to detect vulnerabilities in these dependencies. A robust risk indicator should include a comprehensive inventory of third-party components, their versions, associated licenses, known vulnerabilities, and mitigation strategies. It should also track timely security intelligence updates for all integrated tools.
- Ineffective Security Training and Awareness Programs: Human error remains a leading cause of breaches, yet DevSec teams often overlook behavioral risks. Developers are primarily focused on delivering functionality, which can sideline security awareness. Risk indicators should go beyond tracking training completion, they should include simulated social engineering campaigns and measure the percentage of team members who fail these tests. This helps assess real-world readiness and identify gaps in awareness.
- Lack of Resiliency in Key Roles: Business urgency often compresses development timelines, creating pressure on Subject Matter Experts (SMEs) and go-to personnel. When these roles lack backups, they become bottlenecks and are at risk of burnout, leading to delivery delays or compromised quality. A valuable risk indicator here is the number of critical roles without assigned backups. Early identification and cross-skilling plans can mitigate this risk and build team resilience.
How do you quantify risk in DevOps pipelines where traditional risk matrices don’t always apply?
Traditional risk management frameworks like ISO 31000, NIST RMF, and COBIT offer structured approaches to identifying and analyzing risks aligned with organizational objectives. However, DevOps environments, with their dynamic, automated, and continuous nature, require more adaptive models. Quantifying risk in these pipelines demands real-time, context-aware indicators that go beyond static likelihood-impact matrices.
While foundational principles remain relevant, traditional risk matrices often fail to capture the velocity and automation inherent in CI/CD pipelines. Static assessments don’t account for rapid deployments, evolving dependencies, or behavioral risks. To address this, industry models such as the OWASP DevSecOps Maturity Model (DSOMM), Incremental Risk Assessment in DevSecOps, and the OWASP Risk Rating offer tailored approaches that blend qualitative and quantitative methods.
What Makes DevOps Risk Models Effective?
- Contextual Threat Evaluation: Models incorporate threat agent competency, application and OS vulnerabilities, and business impact. Using CVSS scoring helps standardize vulnerability severity ratings.
- Maturity Roadmaps: Frameworks guide teams toward higher maturity in CI/CD security, vulnerability management, and identity & access controls.
- Real-Time Risk Assessment: Some models support continuous risk evaluation and align with certification processes.
- Integrated Threat Modeling: STRIDE-based threat modeling is embedded into application design phases.
DevOps-Specific Risk Quantification & KRIs
To quantify risk effectively, leadership should monitor the following indicators:
- Deployment Failure Rate: Track failed deployments as a percentage of total releases.
- Deployment Frequency Thresholds: Excessively frequent deployments may increase exposure to risk.
- Lifecycle-Based Risk Indicators: Measure risks across build, test, and deploy stages, focusing on dependency vulnerabilities, SAST/SCA/DAST findings, and configuration mismatches.
- Third-Party Exposure: External dependencies (e.g., open-source libraries, APIs) pose significant risks due to limited control. Mapping and monitoring these is critical.
In essence, security in DevOps is not about chasing checklists, but about cultivating a mindset of continuous awareness, accountability, and resilience. By embedding certification-aligned habits early, monitoring subtle but critical risk indicators, and adopting adaptive models for quantification, organizations can turn security into a business enabler rather than a compliance hurdle. As Mr. Biswajit Sen emphasizes, resilience is built not in grand gestures but in the small, consistent practices that make security a shared responsibility across every team.
