Paper short abstract:

This paper considers the relationship between information security and a recent paradigm shift in IT delivery methods. "DevOps" enacts a re-imagining of the IT delivery process, drawing on images of adaptive systems, and distributed authority, with implications for how security practices intervene.

Paper long abstract:

This paper considers the relationship between information security and a recent paradigm shift in IT delivery methods. Rising over the last decade, in concert with a range of infrastructure automation technologies, "DevOps" methods are widely considered best practice for delivering change to information systems. DevOps is a re-imagining of the problems of IT delivery, drawing on a heritage in lean manufacturing, agile software development and systems thinking, with a focus on empowered self-organised teams and processes delivering rapid and continuous value.

Information security practices are challenged by DevOps methods, as the empowerment of teams involves the displacement of the kinds of representations, gateways and reviews that constituted traditional security "rituals of verification" (Power 1997). Where information was previously reported upwards in the hierarchy for authorisation, DevOps instantiates new forms of reflexivity, immanent to the delivery process.

The problem for security in these contexts seems to be how to reconcile the distributed trust of self-organising teams with the centralised accountability of the organisation's corporate personhood, which is ultimately at stake when incidents happen.

The problem for STS is partly in devising ways to approach, analyse or respond to "already reflexive" or "self-analysing" phenomena (Riles 2001). If we find concepts like "care" already at work within the DevOps imaginary, are these useful devices for our own reflection?

This paper presents reflections mainly based on professional experience as a consultant in the information technology sector, and that are forming the basis for a new ethnographic study of contemporary cyber security practices.