DevSecOps: Responsibility Without Authority

DevSecOps promises shared security responsibility, but what happens when accountability shifts without decision authority? In this episode of The ITSM Practice Podcast, Luigi Ferri explores governance gaps, risk ownership, Security Champions, burnout, and structural ambiguity in DevSecOps. A sharp reflection for CISOs, AppSec leaders, and ITSM professionals navigating security governance and enterprise risk management.

In this episode, we answer to:

Who is explicitly allowed to accept risk in a DevSecOps operating model?

What happens when developers receive security accountability without authority?

Are Security Champions strengthening governance, or masking leadership gaps?

Resources Mentioned in this Episode:

Blackduck website, article "DevSecOps: The good, the bad, and the ugly", link https://www.blackduck.com/blog/devsecops-challenges-benefits.html

Jit website, article "6 DevSecOps Best Practices that Enable Developers to Deliver Secure Code", link https://www.jit.io/resources/devsecops/a-practical-guide-to-devsecops-making-it-work-for-developers

Decipher Bureau website, article "DevSecOps Professionals: Avoiding ‘The Great Burnout’", link https://www.decipherbureau.com/news/articles/devsecops-professionals-avoiding-the-great-burnout/

Security Journey website, article "From Disruption to Integration: Rethinking Just-in-Time Security Training", link https://www.securityjourney.com/post/from-disruption-to-integration-rethinking-just-in-time-security-training

Connect with me on:

LinkedIn: https://www.linkedin.com/in/theitsmpractice/

Website: http://www.theitsmpractice.com

And if you want more tips and guidance, follow me on LinkedIn. I am sharing daily posts regarding Enterprise Service Management, IT Service Management, and IT Security.

Credits:

Sound engineering by Alan Southgate - http://alsouthgate.co.uk/

Graphics by Yulia Kolodyazhnaya