Hello and welcome back to another SPK and Associates blog. Today we’re going to get into a topic that’s top of mind for nearly every technology and business leader right now: how to scale security without slowing down development.
As software delivery accelerates and attack surfaces really grow, DevSecOps has moved from a technical best practice to a more true executive priority. In this conversation, I’ll have two of my colleagues here at SPK and Associates, and we’re going to talk about the executive-level view of DevSecOps—what it means, why it matters, and how organizations can embed security into the software lifecycle without creating additional friction for development teams.
We’ll talk about shifting left, integrating security into every workflow, and the role of AI in modern DevSecOps. We also want to talk about the metrics that leaders should be using and watching to ensure their investment really pays off.
Meet Our Engineers
So I’m joined by two experts at SPK and Associates. I’ll start out with Darla.
Darla, feel free to introduce yourself.
Hi everybody. My name is Darla Kost. I’m a DevOps engineer at SPK and Associates. Very familiar with GitLab and, you know, running things on CI/CD in general, and happy to be here.
Carlos?
Hi everyone. I’m Carlos Almeida. I’m a VP of Engineering. I’m the old guy on the call. Spent about 20-some years in the world of EDA at a software vendor, creating thousands of releases, dealing with compliance companies, dealing with government, dealing with really low-level in the chip manufacturing and software world.
Last few decades plus I’ve been at SPK, and I lead the engineering side of our DevOps stack, ALM stack, and partner relationships for that world of productivity with compliance built in.
Love it. Can’t wait to talk to you guys.
Yeah. And this is, this is a unique vlog here today, having Darla and Carlos.
Why DevSecOps Has Become an Executive Priority
But Carlos, I want to start with you. So from an executive’s perspective, why has DevSecOps become such a priority—critical priority—for organizations today?
Good question. Well, from an executive perspective, DevSecOps isn’t really about tools. I would say it’s more about risk and trust.
Every company today is a software company. Whether you’re medical device, aerospace, finance, and manufacturing, your product, your data, and your reputation—it’s all running on software.
So what’s changed is the speed. Teams are deploying faster than ever, using platforms like Atlassian, GitLab, tools like PTC Codebeamer for regulated environments.
Now, that’s great for innovation, but it also means that vulnerabilities can move just as fast. So you have to stay on top of that.
DevSecOps has become critical because leaders realize that you can’t just bolt security on at the end anymore. You have to do it up front.
So you need to slow everything down, get it working, and then do it up front so you don’t add more cost or time into your processes. So that’s really the struggle that executives are dealing with today.
Shifting Security Left Into the Developer Workflow
And you said something there that’s important, is that whole earlier-in-the-process thing, which I want to—I want to shift to Darla here, no pun intended with the shift-left scenario—and that is really shifting left.
It’s shifting security further to the left. But how are organizations doing that, and how are they making it a part of the developer workflow instead of an afterthought or something that’s bolted on at the end?
So I think that shifting security left, you know, that really comes down to people trying to meet developers where they already work.
Developer Considerations
We always—we know developers, you know, they want to develop, they want to code, they don’t really want to do anything else. And you know, they’re good at it, and that’s what their job is.
And so if we want to do this and make it part of the workflow instead of something that they think about after, that means embedding those security checks directly into their CI/CD pipelines and their processes, into their code reviews, into their source control.
And not asking them like, “Hey, write all your code and then go log into four separate tools,” or wait until the end of the release cycle and then go and fix everything that you need to.
It makes it feel like a big blocker, and it aggravates everyone to get it to that point and then have something fail because of security.
So when security checks are run automatically in the pipeline, you know, maybe the first developer pipeline when they’re running new code, or they show up in pull requests or whatever, and they have really quick feedback, then developers don’t have to think about it as a separate task.
It’s just kind of part of writing their, their code—part of writing something solid. And that’s the whole point.
You know, you don’t want to slow anyone down. You want to just catch issues earlier, make sure that they’re easier, cheaper to fix, and then make the path—the secure path—the more default path rather than an afterthought.
And that is the whole benefit of shifting left, right? Making it easier and more seen earlier in the process, right?
Integrating Security Without Slowing Down Delivery
So, okay, Carlos, back to you. I want to connect the dots here on the executive side.
So one of the biggest concerns executives have is getting the product to market, right? Like being first to market or nearly first to market.
Sometimes there’s a risk of slowing developers down when you’re adding in all that security.
So what strategies or maybe even tools make it possible to integrate the security best practices without bottlenecking things and making things slow?
Yeah, good point. So the good news—if you do it right—your DevSecOps can actually make your teams go faster.
Let’s think about that.
So, as Darla indicated already, the key is automation and tools and integration.
From a GitLab perspective, you have your security scanning, defensive checks, and compliance validation that you can run right in your pipeline.
Your developers don’t have to stop what they’re doing. They get feedback pretty darn quickly.
In the Atlassian environments, we can integrate security workflows into Jira. So risks, findings, remediations—they’re all tracked just like any other work item.
And in regulated industries, PTC Codebeamer in particular, we can connect security controls directly to requirements, testing, and traceability.
So compliance is built in and not bolted on at the end.
So strategy is simple: move security to the left, automate it, make it visible, and make it part of your normal engineering workflow.
Yeah, it doesn’t have to be the thing you do. The—I, I, I lived through this—the last sprint of the product cycle was the, the, the hardening sprint, and let’s now, let’s do security, guys.
Like, you do that beforehand, it actually speeds things up.
The Role of AI in Modern DevSecOps
All right. So, Darla, no vlog that we do would be complete unless we talked about AI, right?
So now, how can companies get value? How does that AI-powered solution—whether it’s automated vulnerability detection, code suggestions, or writing code for developers—how does having that AI change the way organizations approach DevSecOps?
Providng Context
Now, I think it changes it in a huge way. You know, AI really helps teams—individuals even—shift from just finding problems after everything’s already done to fixing them faster.
So now, instead of dumping a giant list of vulnerabilities on developers and saying, like, “Hey, please don’t do any of these things,” AI can provide that context, and it can actually run through it for them—maybe figure out what the issue is, why it matters, or even how to fix it, which is a huge thing for the developer experience.
Reducing Context Switching
It saves them a lot of time. It’s definitely going to reduce that context switching, too, and reduce a lot of the tools that they have to use. If you have AI, it might be able to replace a couple of different things, and they might be able to do things a lot faster.
It’ll also help developers learn secure coding patterns, too. As they see, “Oh, this already had to be fixed. Next time I won’t do that,” or “I will do this,” or whatever it is.
Improved Security
And that’s going to mean better security outcomes in the future and more productive engineering teams, right? Because the faster you can work, the more you can put forward, and the faster the product can get out.
Yeah. Having a good AI companion actually is like having a teammate that always works, that knows everything, right? Never gets tired. Never gets tired, never takes a day off. That’s pretty valuable.
Metrics and KPIs That Matter to Executives
Okay, Carlos, I’m going to finish up with you here.
Now that we’ve talked about the whole concept of shifting left and creating things in the normal workflow of developers, when executives are looking at these investments for DevSecOps, what KPIs or metrics should they be tracking to look at that ROI?
I’m thinking—my opinion is that most of the organizations that are doing it, they’re doing it wrong or backwards. This is my thought. They’re tracking activity instead of outcomes, if you know what I mean.
Yeah.
I like to think that we should be forcing our thinking into more of a strategic space.
So first: risk exposure. How many vulnerabilities—critical vulnerabilities—do you have? How long are they staying open? Are they trending up or trending down?
The second one I would say is speed to remediation. When something is found, how fast do we fix it? That’s a huge indicator of our overall organizational maturity.
Third is delivery performance. Are we still delivering on schedule? Are we releasing? Are security controls helping us or hurting us for cycle time?
Fourth: compliance confidence. If you’ve been in a war room for an audit, you know what I’m talking about. When an audit happens, can we reproduce the evidence quickly, or is everyone scrambling around for weeks getting everything in order that should have been done by design up front?
So with platforms like GitLab, Atlassian, and Codebeamer, we can help our customers build dashboards that connect these metrics across planning, development, testing, and operations.
And I’ll close with: the goal is not perfect security. I don’t think that exists. I think the goal is predictable, manageable, and measurable risk.
Ready To Scale Security with DevSecOps from GitLab?
Awesome points. Awesome points.
And thank you for this conversation, guys. This has been a really good conversation.
What really stands out from what you guys have said today is that DevSecOps isn’t about choosing between speed and security. It’s about designing systems and workflows and tooling that really enable both.
Whether that’s shifting left and creating a developer workflow, or using AI to reduce some manual effort, or tracking the right metrics that executives feel show the ROI, I think it’s pretty clear that DevSecOps is actually the requirement to align people, process, and technology.
So, Darla, Carlos, thank you again for both sharing your perspectives and practical insights.
Thank you, Michael. Thank you, Darla. Thanks, you guys.
And thanks to everybody watching.
If you’re an executive looking to scale your DevSecOps environment in any way to support faster delivery, stronger security, or a better developer experience, Carlos and Darla and the rest of our team here would be happy to continue that conversation.
You can contact us through our socials or on our website. There’s a contact form and a link in the description of this video.
If you like this video, be sure to hit like and subscribe, and we’ll see you next time on the SPK and Associates blog.
Thank you, everyone.
