It's really unfortunate that as infosec practitioners we often look at the idea of bringing security into DevOps from the perspective of how do we change DevOps to fit our needs. We are far more successful however if we open our minds and look at how the delivery pipeline can actually inform and shape how we approach security.
Do you do sprints in security? What about user stories? Do you manage an enterprise security backlog? Wouldn't that be a great way to not only track technical debt but also demonstrate in a concrete way to you leadership the need for more resources? There are many development practices we can and should learn to adopt in managing our security programs.
And as always learn more in the DevSecOps Hub and feel free to ask anything or share your thoughts.