Over the past several years, organizations have done themselves a favor by integrating security into cloud operations, aka DevOps. Evolving DevOps into DevSecOps by weaving security in with software development and administration has proven to be a no-brainer, especially as the firewall boundary extends beyond the traditional edge with public cloud services.
Because of the organizationally wide consumption of cloud services, DevSecOps is empowering not only the developer community but also marketing organizations. It's showing that cloud can be the force that breaks down silos and delivers on companies' need for speed. The shadow IT that has been supporting marketing behind the scenes can finally come together in the light of day under a single force — MarDevSecOps.
MarDevSecOps may not roll off the tongue, and we're not advocating that shadow IT persist with such a term. However, organizations now need to involve marketing in the development process more than ever — especially if they want to make sure consumer-facing digital products and services can withstand hacking and phishing attempts, and are free of dangerous vulnerabilities, while adhering to the European Union's General Data Protection Regulation (GDPR) and other emerging global privacy regulations. It will be up to security to make sure this incorporation of marketing goes smoothly.
Security personnel are already realizing that their vantage point puts them at an important nexus where all of these stakeholders meet. Earlier this year, the CISO of a major consumer packaged goods company told me that "trust is the new currency." The comment came up in the context of the GDPR's mandate to obtain consumers' explicit consent before marketing to them electronically. But he meant it to encompass the notion that all customer activity must be kept secure, private, and compliant with privacy regulations.
Bringing Marketing Tech Out of the Shadows
Security has quietly harrumphed as marketing widened shadow IT over the years through purchases of largely cloud-based apps; marketing found it quicker to bypass IT in order to add the functionality needed to stay competitive in a fast-evolving consumer landscape. Although the makers of these cloud apps often bake security into their offerings from the earliest stages of design, it is still a lot of work to incorporate their finished products into CISOs' and CIOs' security and governance workflows.
Ironically, that same driver — time to market — is now bringing marketing back to IT and security. Marketing understands that organizations can't have bugs or security holes in the ever-changing products and services at the heart of their customer experiences. With breaches so common that they hardly register as news, no one needs convincing of the importance of having the highest levels of botnet and DDoS-attack prevention, brute-force-attack recognition, intrusion-detection capabilities, and fraud analytics. But how do companies instill these features into every facet of the omnichannel customer journey without disrupting the end user experience?
This is where security's knowledge is indispensable, particularly in organizations that invest heavily in keeping up with best practices and obtaining the highest levels of certification from the tech industry's most respected independent standards agencies.
Security's Vantage Point
Even if security and marketing are on the same page, they don't exist in a vacuum; their needs are intertwined with software development and support, as well as compliance, which is why the current DevSecOps paradigm matters so much in the first place.
If marketing were brought into the process, it could help developers intimately understand the end user's needs. IT could help marketing procure the cloud apps and other necessary pieces for new consumer-facing offerings along company protocols, and lend its expertise in selecting the right mix of public-private cloud services and administering them efficiently.
Regulatory compliance teams will still need to ensure that end products adhere not just to GDPR or California's forthcoming data privacy law (which goes into effect 2020), but also myriad other regulations around the world that differ widely in scope and statutes.
Why should security tie all of this together? Because the department is arguably already deeper into each stakeholder's affairs than any other department. Security knows how to bake breach-defense elements into new offerings in the early development stages fast enough to capitalize on increasingly fleeting windows of market opportunity. Privacy has also become inextricably linked with security, forcing the infosec team to get into the bunker with compliance to help ward off regulatory fines.
If DevSecOps stakeholders don't include marketing — or worse, let marketing continue to think it is safe to take IT procurement in its own hands — organizations could face a variety of security, compliance, operational, legal, and business risks. It's up to security to incorporate marketing and balance everyone's overall needs for the good of the organization.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.