Attacks/Breaches

10/30/2018
02:30 PM
Jim Kaskade
Jim Kaskade
Commentary
Connect Directly
Facebook
LinkedIn
Google+
RSS
E-Mail vvv
0%
100%

The Case for MarDevSecOps

Why security must lead the integration of marketing into the collaborative security and development model in the cloud.

Over the past several years, organizations have done themselves a favor by integrating security into cloud operations, aka DevOps. Evolving DevOps into DevSecOps by weaving security in with software development and administration has proven to be a no-brainer, especially as the firewall boundary extends beyond the traditional edge with public cloud services.

Because of the organizationally wide consumption of cloud services, DevSecOps is empowering not only the developer community but also marketing organizations. It's showing that cloud can be the force that breaks down silos and delivers on companies' need for speed. The shadow IT that has been supporting marketing behind the scenes can finally come together in the light of day under a single force — MarDevSecOps.

MarDevSecOps may not roll off the tongue, and we're not advocating that shadow IT persist with such a term. However, organizations now need to involve marketing in the development process more than ever — especially if they want to make sure consumer-facing digital products and services can withstand hacking and phishing attempts, and are free of dangerous vulnerabilities, while adhering to the European Union's General Data Protection Regulation (GDPR) and other emerging global privacy regulations. It will be up to security to make sure this incorporation of marketing goes smoothly.

Security personnel are already realizing that their vantage point puts them at an important nexus where all of these stakeholders meet. Earlier this year, the CISO of a major consumer packaged goods company told me that "trust is the new currency." The comment came up in the context of the GDPR's mandate to obtain consumers' explicit consent before marketing to them electronically. But he meant it to encompass the notion that all customer activity must be kept secure, private, and compliant with privacy regulations.

Bringing Marketing Tech Out of the Shadows
Security has quietly harrumphed as marketing widened shadow IT over the years through purchases of largely cloud-based apps; marketing found it quicker to bypass IT in order to add the functionality needed to stay competitive in a fast-evolving consumer landscape. Although the makers of these cloud apps often bake security into their offerings from the earliest stages of design, it is still a lot of work to incorporate their finished products into CISOs' and CIOs' security and governance workflows.

Ironically, that same driver — time to market — is now bringing marketing back to IT and security. Marketing understands that organizations can't have bugs or security holes in the ever-changing products and services at the heart of their customer experiences. With breaches so common that they hardly register as news, no one needs convincing of the importance of having the highest levels of botnet and DDoS-attack prevention, brute-force-attack recognition, intrusion-detection capabilities, and fraud analytics. But how do companies instill these features into every facet of the omnichannel customer journey without disrupting the end user experience?

This is where security's knowledge is indispensable, particularly in organizations that invest heavily in keeping up with best practices and obtaining the highest levels of certification from the tech industry's most respected independent standards agencies.

Security's Vantage Point
Even if security and marketing are on the same page, they don't exist in a vacuum; their needs are intertwined with software development and support, as well as compliance, which is why the current DevSecOps paradigm matters so much in the first place.

If marketing were brought into the process, it could help developers intimately understand the end user's needs. IT could help marketing procure the cloud apps and other necessary pieces for new consumer-facing offerings along company protocols, and lend its expertise in selecting the right mix of public-private cloud services and administering them efficiently.

Regulatory compliance teams will still need to ensure that end products adhere not just to GDPR or California's forthcoming data privacy law (which goes into effect 2020), but also myriad other regulations around the world that differ widely in scope and statutes.

Why should security tie all of this together? Because the department is arguably already deeper into each stakeholder's affairs than any other department. Security knows how to bake breach-defense elements into new offerings in the early development stages fast enough to capitalize on increasingly fleeting windows of market opportunity. Privacy has also become inextricably linked with security, forcing the infosec team to get into the bunker with compliance to help ward off regulatory fines.

If DevSecOps stakeholders don't include marketing — or worse, let marketing continue to think it is safe to take IT procurement in its own hands — organizations could face a variety of security, compliance, operational, legal, and business risks. It's up to security to incorporate marketing and balance everyone's overall needs for the good of the organization.

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jim spearheads customer identity and access management company Janrain's vision, strategy and worldwide operations. He is a seasoned entrepreneur with more than 31 years of experience in complex enterprise technology, including 10 years as a startup CEO leading companies from ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
viopoker
50%
50%
viopoker,
User Rank: Apprentice
11/5/2018 | 8:48:32 AM
I just now
I just now evolving DevOps into DevSecOps

 

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2018 | 10:45:35 PM
Re: Where the problem is.
@Dr.T: Conversely, however, in many organizations, marketing's hands would effectively be tied if they had to run everything through IT (especially in those orgs where the marketing department frequently faces uphill battles to justify itself to operations people who don't understand what marketing does, what good marketing looks like, or why marketing is important). You can really only deal with this with partnership between IT and marketing, from the top down. But that takes a huge effort that many orgs simply don't feel that they can afford.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2018 | 10:43:20 PM
Re: God, please, no; stop this bullshit.
I agree, @Jim. Vendors are great for outsourcing certain things, but the one thing you should never outsource (or, at least, almost never) is strategy. Strategy has to come from within, and that requires the kind of holistic approach you're talking about -- buzzword combos aside.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2018 | 10:41:44 PM
Sec vs. Privacy vs. Compliance
The only problem with all of this philosophizing is that security, privacy, and compliance -- while comprising the greater Venn diagram of data stewardship -- remain separate (if partially overlapping) circles. Security is not privacy. Privacy is not compliance. Compliance is not security. It's really going to take much more interaction to get marketing on board with these regulations -- as well as to be proactive enough with privacy, security, and best practices such that future regulation and law don't cause too big of a speed bump. Ditto for dev teams (who are just as guilty of making bad decisions with data).
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/31/2018 | 12:49:12 PM
Where the problem is.
If DevSecOps stakeholders don't include marketing or worse, let marketing continue to think it is safe to take IT procurement in its own hands Obviously this is where the problem is. IT can easily be by-passed.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/31/2018 | 12:46:19 PM
User need
If marketing were brought into the process, it could help developers intimately understand the end user's needs I agree with this statement. We tend to develop things that nobody needs.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/31/2018 | 9:30:13 AM
Re: God, please, no; stop this bullshit.
intelligent group internally to talk about how that plays into centralized consent management, etc This makes sense. Marketing and other groups should be part of it in my view.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/31/2018 | 9:17:49 AM
Re: God, please, no; stop this bullshit.
The more things you do, the less solid results are. It is inevitable. Laws of physics. This is a fair point. However these days we are being asked more with less.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/31/2018 | 9:12:05 AM
MarDevSecOps
I like the concept of MarDevSecOps. Marketing should be streamlined into security operations for sure.
jim.kaskade
50%
50%
jim.kaskade,
User Rank: Author
10/30/2018 | 5:40:11 PM
Re: God, please, no; stop this bullshit.
Fair enough. I wasn't advocating for a new group (like MarDevSecFinJanitorChefOps). I was saying that before my CMO pulls in yet another marketing tool (lets look at Scott Brinker's ChiefMarTech list), one might sit down with an intelligent group internally to talk about how that plays into centralized consent management, etc.).

It's more about bringing the fragmented players together when it comes to consumer data.
Page 1 / 2   >   >>
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
6 CISO Resolutions for 2019
Ericka Chickowski, Contributing Writer, Dark Reading,  12/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: When Harry Met Sally
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7690
PUBLISHED: 2018-12-13
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
CVE-2018-7691
PUBLISHED: 2018-12-13
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
CVE-2018-8033
PUBLISHED: 2018-12-13
The OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitati...
CVE-2018-20127
PUBLISHED: 2018-12-13
An issue was discovered in zzzphp cms 1.5.8. del_file in /admin/save.php allows remote attackers to delete arbitrary files via a mixed-case extension and an extra '.' character, because (for example) "php" is blocked but path=F:/1.phP. succeeds.
CVE-2018-20128
PUBLISHED: 2018-12-13
An issue was discovered in UsualToolCMS v8.0. cmsadmin\a_sqlback.php allows remote attackers to delete arbitrary files via a backname[] directory-traversal pathname followed by a crafted substring.