Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/30/2018
02:30 PM
Jim Kaskade
Jim Kaskade
Commentary
Connect Directly
Facebook
LinkedIn
Google+
RSS
E-Mail vvv
0%
100%

The Case for MarDevSecOps

Why security must lead the integration of marketing into the collaborative security and development model in the cloud.

Over the past several years, organizations have done themselves a favor by integrating security into cloud operations, aka DevOps. Evolving DevOps into DevSecOps by weaving security in with software development and administration has proven to be a no-brainer, especially as the firewall boundary extends beyond the traditional edge with public cloud services.

Because of the organizationally wide consumption of cloud services, DevSecOps is empowering not only the developer community but also marketing organizations. It's showing that cloud can be the force that breaks down silos and delivers on companies' need for speed. The shadow IT that has been supporting marketing behind the scenes can finally come together in the light of day under a single force — MarDevSecOps.

MarDevSecOps may not roll off the tongue, and we're not advocating that shadow IT persist with such a term. However, organizations now need to involve marketing in the development process more than ever — especially if they want to make sure consumer-facing digital products and services can withstand hacking and phishing attempts, and are free of dangerous vulnerabilities, while adhering to the European Union's General Data Protection Regulation (GDPR) and other emerging global privacy regulations. It will be up to security to make sure this incorporation of marketing goes smoothly.

Security personnel are already realizing that their vantage point puts them at an important nexus where all of these stakeholders meet. Earlier this year, the CISO of a major consumer packaged goods company told me that "trust is the new currency." The comment came up in the context of the GDPR's mandate to obtain consumers' explicit consent before marketing to them electronically. But he meant it to encompass the notion that all customer activity must be kept secure, private, and compliant with privacy regulations.

Bringing Marketing Tech Out of the Shadows
Security has quietly harrumphed as marketing widened shadow IT over the years through purchases of largely cloud-based apps; marketing found it quicker to bypass IT in order to add the functionality needed to stay competitive in a fast-evolving consumer landscape. Although the makers of these cloud apps often bake security into their offerings from the earliest stages of design, it is still a lot of work to incorporate their finished products into CISOs' and CIOs' security and governance workflows.

Ironically, that same driver — time to market — is now bringing marketing back to IT and security. Marketing understands that organizations can't have bugs or security holes in the ever-changing products and services at the heart of their customer experiences. With breaches so common that they hardly register as news, no one needs convincing of the importance of having the highest levels of botnet and DDoS-attack prevention, brute-force-attack recognition, intrusion-detection capabilities, and fraud analytics. But how do companies instill these features into every facet of the omnichannel customer journey without disrupting the end user experience?

This is where security's knowledge is indispensable, particularly in organizations that invest heavily in keeping up with best practices and obtaining the highest levels of certification from the tech industry's most respected independent standards agencies.

Security's Vantage Point
Even if security and marketing are on the same page, they don't exist in a vacuum; their needs are intertwined with software development and support, as well as compliance, which is why the current DevSecOps paradigm matters so much in the first place.

If marketing were brought into the process, it could help developers intimately understand the end user's needs. IT could help marketing procure the cloud apps and other necessary pieces for new consumer-facing offerings along company protocols, and lend its expertise in selecting the right mix of public-private cloud services and administering them efficiently.

Regulatory compliance teams will still need to ensure that end products adhere not just to GDPR or California's forthcoming data privacy law (which goes into effect 2020), but also myriad other regulations around the world that differ widely in scope and statutes.

Why should security tie all of this together? Because the department is arguably already deeper into each stakeholder's affairs than any other department. Security knows how to bake breach-defense elements into new offerings in the early development stages fast enough to capitalize on increasingly fleeting windows of market opportunity. Privacy has also become inextricably linked with security, forcing the infosec team to get into the bunker with compliance to help ward off regulatory fines.

If DevSecOps stakeholders don't include marketing — or worse, let marketing continue to think it is safe to take IT procurement in its own hands — organizations could face a variety of security, compliance, operational, legal, and business risks. It's up to security to incorporate marketing and balance everyone's overall needs for the good of the organization.

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jim spearheads customer identity and access management company Janrain's vision, strategy and worldwide operations. He is a seasoned entrepreneur with more than 31 years of experience in complex enterprise technology, including 10 years as a startup CEO leading companies from ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Marc250
100%
0%
Marc250,
User Rank: Apprentice
10/30/2018 | 3:23:44 PM
God, please, no; stop this bullshit.
I don't think I've ever read that amount of business bullshit, but I knew it was coming when I first saw DevOps concept. Of course you want people to do myriads of things under one job position because of savings, but true specialists and experts will remain in their area of expertise, so - ultimately - crap like MarDevSecFinJanitorChefOps concepts has to die. The more things you do, the less solid results are. It is inevitable. Laws of physics.
<<   <   Page 2 / 2
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers &amp; Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.
CVE-2019-9228
PUBLISHED: 2019-07-19
** DISPUTED ** An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A at least to 7.20A.252.062. The (1) management SSH and (2) management TELNET features allow remote attackers to cause a denial of service (connection slot e...
CVE-2019-12725
PUBLISHED: 2019-07-19
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
CVE-2019-11989
PUBLISHED: 2019-07-19
A security vulnerability in HPE IceWall SSO Agent Option and IceWall MFA (Agent module ) could be exploited remotely to cause a denial of service. The versions and platforms of Agent Option modules that are impacted are as follows: 10.0 for Apache 2.2 on RHEL 5 and 6, 10.0 for Apache 2.4 on RHEL 7, ...