The idea that "security is always a laggard" misses the point. Security must cover everything, old and new, while others pursue the latest trend. Diffusion models like "Crossing the Chasm" are business concepts, not operational realities. Security has to defend legacy and cutting-edge tech at the same time.
This isn’t about falling behind; it’s about managing risk everywhere, all the time, often with limited and fixed resources. New technology, pushed by broken incentives, offloads risk onto security teams and users: a textbook moral hazard.
Not all security teams lag, and some businesses invest in resilience and involve security early. But the “chasm” narrative isn’t natural law. It’s an unquestioned cycle that traps security in an impossible role. Maybe it’s time to question the premise itself, rather than just play along. Follow the money: who benefits from it? All this "AI".. who is it really for?
This comment by Chris is so spot on and succinct. He captures the DevSecOps movement perfectly.
"Security has tried various methods such as “shift left” and “DevSecOps”, but this has largely been implemented as throwing a slew of acronym soup security tooling (e.g. SAST, DAST, IaC, Container Scanning et. al) into a CI/CD pipeline, much of the tooling with low fidelity, data quality issues and little to no application or organizational context, bolstering silos between Security <> Development, ironically the same silos that DevSecOps was supposed to improve."
I think that integrating AI directly into devops without the information security oversight is very dangerous. Let's not forget that the Mitre CVE program was just about to be pulled out with the shut down of the funds. But thankfully the CVE is going forward for another year.
The idea that "security is always a laggard" misses the point. Security must cover everything, old and new, while others pursue the latest trend. Diffusion models like "Crossing the Chasm" are business concepts, not operational realities. Security has to defend legacy and cutting-edge tech at the same time.
This isn’t about falling behind; it’s about managing risk everywhere, all the time, often with limited and fixed resources. New technology, pushed by broken incentives, offloads risk onto security teams and users: a textbook moral hazard.
Not all security teams lag, and some businesses invest in resilience and involve security early. But the “chasm” narrative isn’t natural law. It’s an unquestioned cycle that traps security in an impossible role. Maybe it’s time to question the premise itself, rather than just play along. Follow the money: who benefits from it? All this "AI".. who is it really for?
This comment by Chris is so spot on and succinct. He captures the DevSecOps movement perfectly.
"Security has tried various methods such as “shift left” and “DevSecOps”, but this has largely been implemented as throwing a slew of acronym soup security tooling (e.g. SAST, DAST, IaC, Container Scanning et. al) into a CI/CD pipeline, much of the tooling with low fidelity, data quality issues and little to no application or organizational context, bolstering silos between Security <> Development, ironically the same silos that DevSecOps was supposed to improve."
I think that integrating AI directly into devops without the information security oversight is very dangerous. Let's not forget that the Mitre CVE program was just about to be pulled out with the shut down of the funds. But thankfully the CVE is going forward for another year.