In this in-depth panel discussion, industry leaders from Danske Bank, GitLab, Mjølner Informatics, and Eficode explore the ongoing challenges of implementing DevSecOps in 2025. They share insights on the importance of integrating security into the development lifecycle, addressing human factors, and aligning people, processes, and technology for effective software delivery.
Speakers
Stefan Daugaard Poulsen
DevOps
Solution Architect
Stefan comes with a wide range of experience in software development, operations, and especially platform engineering, all based on 20+ years of working as a developer, staff engineer, and CTO. In recent years, his focus has primarily been on platform engineering—on both the technical and product sides—to ensure a strong foundation for better products. Whether it is technical details, platform adoption and advocacy, or the strategic investments in platform engineering, Stefan is the go-to guy.
Ophelia Zhang Dalsgaard
Technical Value Stream Lead at Danske Bank
Ophelia leads digital core modernization at Danske Bank, where she is responsible for the strategy, engineering, and evolution of business-critical customer systems. She specializes in transforming complex legacy environments by aligning technology, organizational design, and engineering culture to accelerate delivery and improve operational performance. Drawing on experience from hands-on engineering to executive leadership, she shares practical insights into leading large-scale modernization in highly regulated enterprises.
Mads Schaarup Andersen
Lead AppSec Engineer at Mjølner Informatics
Mads helps organizations build developer-centered application security practices that make secure software delivery part of everyday engineering. As Lead AppSec Engineer at Mjølner Informatics, he combines deep expertise in software engineering, security, and human-computer interaction to design practical DevSecOps approaches, from Security Champions programmes to developer enablement and threat modelling. He helps teams turn security from a compliance exercise into a collaborative capability that scales with modern software development.
Jonathan Fullam
Gitlab
VP, Global Solutions Architecture at Gitlab
Jonathan helps enterprise organizations turn modern software delivery into a competitive advantage. As VP of Global Solutions Architecture at GitLab, he leads a global team helping organizations adopt platform engineering, DevOps, and AI to improve delivery at scale. Drawing on deep experience in software engineering and enterprise architecture, he works with technology leaders to build high-performing engineering organizations that accelerate innovation while strengthening security, collaboration, and business outcomes.
Transcript
[Stefan:] We're going to talk about why it's still tough to do DevSecOps in 2025. We all know we should do it. What are we even doing? That's the even bigger question. To go through that, we invited a few people. I'm going to run totally off the order of the screen. We have Mads working for Mjølnir. Then we have Ophelia working for Danske Bank. We have Jonathan from GitLab. I work for Eficode, but you'll listen to these three people, not me. That's the important bit. Kicking off a bit, we need to figure out what DevSecOps is for you. If we start with you, Mads, what does it mean for you? [Mads:] Everything about AppSec all throughout the SDLC. Maybe even more important is where we draw the line between what we leave up to developers and what to the platform team? The further I've worked in this field, the more I want on the latter, especially in large organisations. That tends to be the cheapest place to put it. Hoping you're not going to say, oh, the same as Mads. [Laughs] It's only good if you do. That means we have an agreement on it. [Ophelia:] I would define DevSecOps as the integration of security practices within the lifecycle of app development. And it's more like a style of thinking instead of an actual role. [Stefan:] It's good to hear that. We hear things being a role, and people forget what it actually means. Last but not least. [Jonathan:] Sure. For me, it's an organizational discipline around delivering high quality software as quickly as you can and as securely as possible. Under that, there are various different principles around people, process and technology. We know there are cultural components that help. We know there are technical capabilities and different methodologies. Ultimately they focus on the goal of secure quality software as quickly as you can. [Stefan:] Good to hear we don't disagree on everything. That would be a long, long discussion. We would be here defining it for 30 minutes still. If we jump back to the beginning, we want to start out with DevSecOps. We come from an old organization. We don't have this culture or setup. Where do we start? With the culture, the tech or how do we do it? [Mads:] If I may start, it's all about starting with the management buy-in. You need to convey management this is something you should spend time on. Resources, nonetheless... if you don't have the resources, you can try to push culture, but you're going to meet managers who will just say, this is not a feature, so it is not a priority for management. We're not going to spend time on it. [Ophelia:] It's always good to start with management buy-in, but the danger of starting too much up is that there's a tendency to fall into totally top-down with no understanding of the bottom's intention. It's like, back in the days when we adopted Scrum and everybody needed to be agile. It was just, you just need to do it. Use Jira. That's it. [Chuckles] [Jonathan:] I like to think that if you're even considering DevSecOps, it's because you want to accomplish something. That's the delivery of software to generate value. Every organization has many different value streams. If you consider software engineering or delivery as a value stream, start there. Try to understand how the business and the teams define the value, so you can come to common ground. Ultimately, you're going to need to build software. I don't know any other way you want to do it except for having some DevSecOps practices in place. [Stefan:] Ophelia and Mads, you are and have been in highly regulated spaces. I guess things like registrations and legal work can become a kickstarter, because you spend so much time on all of the legal stuff all of a sudden. [Mads:] I think so, but there's also a chance of falling into the trap of pushing it out, top down. I totally agree. We should watch out for too much top down. We need to find a way to do development or involvement from as early on as possible, so we can... [Mads:] It's awareness and... [Ophelia:] A secure developer needs to know something about security. Otherwise when you come with a new tool from the platform department, people say, why the heck should I adopt it? [All laugh] Of course, they need to be aware it is important, why it's important for their ownership, why they should care. [Stefan:] That loops back to the Department of No. Because security says so. [Ophelia:] Or because we need to check this mark on the Excel sheet. [Jonathan:] Exactly right. [Stefan:] We get back to the good old checkbox security that everybody loves. [Jonathan & Mads:] Yeah. Right until you have an incident. Then everything crashes and burns, no matter who you are. Any last words you like, buy our stuff, change your whole industry or anything you want to give a shout out to at the end? [Mads:] Threat modeling. [Stefan:] All right. On that note, everybody's going to leave the room and do threat modeling now. Are you going to be running a session in the hallway on it, or not really? [Mads:] Well, like write me a LinkedIn. I'm a consultant. We can figure that out. [All laugh] [Stefan:] It's always like that. Please come to me afterwards. I'll happily do work for you. [Laughter] All right. On that note, thank you to all three of you. They will be around if you have further questions.
- DevOps
- Security
- Management and culture
- AI
- Conference talks
Related videos