Throwing this out there; has anyone done the transition from standard devops work to devsecops/cybersecurity work? Is it a big leap? How did you make the transition?

I did this many years ago. I was already very security oriented in my ops work. I then got recruited as a first-hire cloud security engineer on an application security team when I was looking for a new job. I had quite a bit of impostor syndrome at first, but I soon found out that the work wasn't all that different from what I was already doing. And I end up working closely with devops/platform/sre teams most of the time anyway. Just from the other side of the fence, so to speak.

hmm ok. For me my experieince was that security was part of the converation in projects, but I wasn't the "voice" if that made sense. I was more on the devops or cloud side of things. Just wondering how much of a jump it'd be as I've seen a few positions with that name come up in searches lately.

All the security engineers at my last job were previously devops engineers.

@Chris Reed I would offer to get an understanding of a security framework first NIST/CIS, then you can get into the secure by design model which many organizations like Google has been doing for some time, DoD. The dev and ops were more popular portions it’s just now cause of the cyber landscape that federal and large organizations are requiring it to be part of the fabric. Our experience incorporating a secure by design was getting an understanding of the security frameworks, we picked a few to focus on, we used dev/stage to build the DevSecOps pipelines, we scanned code, we invested in SAST/DAST and where trained on what to look for now our development family reference the framework when they are building anything and it has become part of the development process. It was hard for a few and some pushed back as it was incorporating another domains model into something they where not familiar with but time heals all things.

This is pretty solid advice. I worked at a security company doing devops and building tools and I think they complement each other pretty well. The extra piece is much of what Miguel mentions above. In the USA, those programs have a good deal to do with fedramp moderate/high but really most orgs can benefit from the frameworks. When I get pushback the simple explanation is usually along the lines of ‘when an issue happens would you rather be the person writing the report that said you did the best practices or that you will need to do the best practices?’ I guess if you were looking for a difference between devops vs devsecops, I tend to see it as the devsecops folks often get tasked with ensuring compliance with best practices, making recommendations to the devops/platform teams, and doing periodic reports to higher about the health of an organizations security and compliance posture. In a big org those may be separate teams. In a small org you may do both sides. I find that even in larger orgs I have had a better time when I try to be forward looking and take care of things prior to the security team reaching out. That phrase about ‘it is the other side of the fence’ from Ben rings true here.