20 Expert Tips For Adopting DevSecOps In Regulated Industries

DevSecOps integrates development, security and operations into a unified process so teams can detect and address risks earlier in the software development life cycle. However, companies in highly regulated industries—like healthcare and finance—may find the DevSecOps adoption process more challenging due to factors ranging from documentation requirements to technical debt to risk aversion and more.

Below, tech industry experts from Forbes Technology Council share their advice for organizations in regulated environments that are just beginning their DevSecOps journeys. Their insights can help you avoid common (and costly) missteps, maintain compliance and build a foundation for secure, scalable success.

1. Embed Compliance Into Systems And Processes

Start with compliance as code, and make it everyone’s responsibility. In regulated industries, security and compliance can’t be afterthoughts—they must be embedded from day one. Codify your compliance controls into your CI/CD pipeline, automate evidence collection for audits and make sure both developers and security teams share ownership of the controls. This reduces risk. – Avetis Antaplyan, HIRECLOUT

2. Set Clear Guidelines Around AI

Focus on governance, policy and process. We’re all trying to move fast, but we can’t compromise on security. Staying in front of security policies and technology is vital to brand, customer and employee protection. With AI tools rapidly expanding capabilities, having clear guidelines and protections in place is vital to ensure they’re not exfiltrating data or introducing nefarious data to your environment. – Rob Green, Insight Enterprises

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

3. Give Developers The Tools They Need

Most organizations address security issues after development, which creates long lists of issues for developers to parse and fix, drowning them in busywork. Instead, you should give developers the tools they need to improve the quality and security of all code—human and AI-generated—during the coding process. This vastly improves developer productivity and saves countless hours for security teams. – Tariq Shaukat, Sonar

4. Begin With Machine Identity Security

Start by prioritizing machine identity security. In regulated environments, every system, API and workload talks to something else—and machine identities are the connective tissue. Securing that mesh from the start helps prevent blind spots, enforces least privilege and builds a solid foundation for trust and compliance. It’s the quiet layer that keeps everything else in check. – Ido Shlomo, Token Security

5. Turn Rules Into Automated Checks

In DevSecOps, codifying compliance means turning rules into automated checks in your development process (continuous improvement/continuous deployment). This way, code change is instantly validated, ensuring industry standards are met without manual effort. It also helps detect security flaws early, which is crucial in regulated industries to avoid penalties and maintain customer trust. – Shiva Chandrashekher, Amazon

6. Automate Security And Audit Checks And Use Policy-As-Code Frameworks

Embed compliance as code from day one. Instead of treating regulations as manual gates at the end, automate security and audit checks directly into pipelines. Use policy-as-code frameworks to codify industry standards, enabling continuous verification. This shifts compliance from a blocker to a catalyst for secure innovation. – Pawan Anand, Ascendion

7. Foster A Security-First Culture

Start with security as a cultural mindset, not just a technical checklist. While building our AI platform, we learned that embedding security consciousness into daily development culture was far more effective than retrofitting controls later. Make security part of early design conversations, and empower developers to understand the “why” behind requirements, not just the “what.” – Mara Dimofte, Rilla

8. Take A Long-Term Approach

Think long-term from day one. Make security everyone’s responsibility, from developers to compliance teams. Automate checks, document everything and embed controls early in the pipeline. It’s not about slowing down delivery; it’s about building trust, avoiding rework, including more quality checks and scaling securely, without surprises. – Anusha Nerella, State Street Corporation

9. Make Database Management A Strategic Priority

Embedding compliance into DevSecOps practices and elevating database management to a strategic priority builds resilient, trustworthy organizations. Effective database management involves careful planning and investment, ensuring reliability and security, and focusing on regulatory compliance—like data anonymization and implementing robust access controls—mitigates the impact of data breaches. – Jakub Lamik, Redgate Software

10. Focus On Execution Over Symptoms

Security has traditionally been backwards—focused on symptoms, not execution. Start with how software is built. Focus first on execution: who’s creating risk, where and why. Link it to teams and devs to drive accountability, improvement and scale. In regulated industries, compliance follows great execution—not tools. – Jeremy Vaughan, Start Left® Security

11. Maintain A Strong Focus On Values And Beliefs

Organizations typically think of implementing regulatory policy checks across the DevSecOps pipeline. This is too late and not sustainable. What drives decisions in DevSecOps is culture—deep-rooted values and beliefs ultimately operationalized within the pipeline. So my advice is: Focus relentlessly on values and beliefs. The determination and sense of purpose will take care of the rest. – Altaz Valani, DevSecOpsMentor.com

12. Ensure The Commitment To Security Starts At The Top

A security-conscious culture comes from the top. Embed security into leadership priorities and organizationwide processes and products, not just tooling. Make executives accountable, bake security into OKRs and reward secure development like you do velocity. – Luke Kyohere, Onafriq

13. Invest In An Experienced ‘Full-Spectrum’ Technology And Security Leader

A holistic approach is necessary. Hire a full-spectrum technology and security leader for the role, and do not cut corners on compensation. In short, “full-spectrum” means the leader has verified experience successfully implementing best practices for cybersecurity, traditional IT operations, compliance, cloud infrastructure, product development life cycles, vendor management and team building. – Daniel Leslie, Bennie Health

14. Empower Developers To Become Security Pros

It is essential to empower and train developers to become security professionals. Identifying and correcting vulnerabilities and misconfigurations downstream is significantly more challenging and costly than preventing these issues through informed and appropriate security decisions made by developers. – Rolando Torres, Abacode Inc.

15. Nurture Cross-Functional Collaboration

Ensuring cross-functional collaboration between development, security and operations teams is a key enabler. It is important to ensure every stakeholder is trained on the criticality of integrating security from the outset. Automating security checks and compliance validation in the CI/CD pipeline is also a must to enhance efficiency. – Mohan Subrahmanya, Insight Enterprises

16. Ensure Dev, Sec and Ops Are Balanced

Align to the skills on the team and determine how they will be utilized to help each member have the maximum impact. A strong team must carefully balance their focus to not overemphasize Dev, Sec or Ops at the expense of the others. Leverage your team’s skills wisely to meet requirements while staying adaptable. Speed, security and stability don’t have to be trade-offs. – Mia Millette, Skyline Technology Solutions

17. Build Trust And Alignment Between Teams

Start by building trust between your developers, security team and compliance experts. In regulated industries, DevSecOps isn’t just about automation—it’s about collaboration. If those three voices don’t align early, every release will feel like a negotiation instead of progress. Invest first in shared language, then in pipelines. – Ramiro Gonzalez Forcada, The Flock

18. Ground AI Usage In Human Oversight

AI has reset the speed of business. Real-time data and AI models that never experience burnout, brain fog or competing priorities make it easier to build the DevSecOps plane while it’s flying. But in regulated industries, where compliance and accountability are nonnegotiable, respecting real people’s input is critical. The most successful DevSecOps journeys are grounded in human oversight. – Ogie Sheehy, ViClarity

19. Establish A Zero-Trust Baseline Prior To Scaling

Before scaling, establish a zero-trust baseline—assume breaches, verify continuously and enforce least privilege. In regulated industries, a security-first approach isn’t optional; it’s the backbone of resilience. Automate compliance, integrate security early and ensure trust is earned, not given. Secured growth is sustainable when it stems from confidence, not compromise. – Nitesh Sinha, Sacumen

20. Prioritize Securing Non-Human Identities

Prioritize securing non-human identities early in your DevSecOps lifecycle. Automate certificate and credential management; enforce strict least-privilege access for services, containers and APIs; and ensure continuous visibility to reduce risk, simplify compliance audits and proactively prevent identity-related breaches in regulated environments. – Dino DiMarino, AppviewX