People sometimes raise an eyebrow at one person owning both security and DevOps. Isn't that the fox guarding the henhouse? Shouldn't the people who ship and the people who protect be separate, so they check each other?
I understand the instinct, and for a long time I half-believed it. I don't anymore. Here's the case for the combined mandate.
When security and delivery sit in separate org branches, they develop separate incentives, and those incentives quietly turn adversarial. Delivery is measured on speed; security is measured on caution. Each becomes the thing standing between the other and its goals. You get the famous dynamic where security is "the team that says no" and engineering routes around them. The separation that was supposed to create healthy tension creates unhealthy avoidance instead.
Put both under one roof and the tension moves inside the function, where it can be managed as a tradeoff instead of a turf war. I can't treat security as something I impose on someone else's systems, because they're my systems. I can't treat reliability as someone else's problem, because the pager is mine. That forces the integration that everyone says they want and few actually achieve: security built into the pipeline, resilience designed in, and a single owner accountable when fast and safe come into conflict.
The separation-of-duties concern is real and you address it with controls — review, logging, approvals — not with org-chart distance. Distance doesn't create security. It creates handoffs, and handoffs are where things get dropped. I stopped apologizing for the combined role once I noticed that the org charts people hold up as "proper" were usually the ones shipping slowly and getting breached.
