Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/30/2018
02:30 PM
Jim Kaskade
Jim Kaskade
Commentary
Connect Directly
Facebook
LinkedIn
Google+
RSS
E-Mail vvv
0%
100%

The Case for MarDevSecOps

Why security must lead the integration of marketing into the collaborative security and development model in the cloud.

Over the past several years, organizations have done themselves a favor by integrating security into cloud operations, aka DevOps. Evolving DevOps into DevSecOps by weaving security in with software development and administration has proven to be a no-brainer, especially as the firewall boundary extends beyond the traditional edge with public cloud services.

Because of the organizationally wide consumption of cloud services, DevSecOps is empowering not only the developer community but also marketing organizations. It's showing that cloud can be the force that breaks down silos and delivers on companies' need for speed. The shadow IT that has been supporting marketing behind the scenes can finally come together in the light of day under a single force — MarDevSecOps.

MarDevSecOps may not roll off the tongue, and we're not advocating that shadow IT persist with such a term. However, organizations now need to involve marketing in the development process more than ever — especially if they want to make sure consumer-facing digital products and services can withstand hacking and phishing attempts, and are free of dangerous vulnerabilities, while adhering to the European Union's General Data Protection Regulation (GDPR) and other emerging global privacy regulations. It will be up to security to make sure this incorporation of marketing goes smoothly.

Security personnel are already realizing that their vantage point puts them at an important nexus where all of these stakeholders meet. Earlier this year, the CISO of a major consumer packaged goods company told me that "trust is the new currency." The comment came up in the context of the GDPR's mandate to obtain consumers' explicit consent before marketing to them electronically. But he meant it to encompass the notion that all customer activity must be kept secure, private, and compliant with privacy regulations.

Bringing Marketing Tech Out of the Shadows
Security has quietly harrumphed as marketing widened shadow IT over the years through purchases of largely cloud-based apps; marketing found it quicker to bypass IT in order to add the functionality needed to stay competitive in a fast-evolving consumer landscape. Although the makers of these cloud apps often bake security into their offerings from the earliest stages of design, it is still a lot of work to incorporate their finished products into CISOs' and CIOs' security and governance workflows.

Ironically, that same driver — time to market — is now bringing marketing back to IT and security. Marketing understands that organizations can't have bugs or security holes in the ever-changing products and services at the heart of their customer experiences. With breaches so common that they hardly register as news, no one needs convincing of the importance of having the highest levels of botnet and DDoS-attack prevention, brute-force-attack recognition, intrusion-detection capabilities, and fraud analytics. But how do companies instill these features into every facet of the omnichannel customer journey without disrupting the end user experience?

This is where security's knowledge is indispensable, particularly in organizations that invest heavily in keeping up with best practices and obtaining the highest levels of certification from the tech industry's most respected independent standards agencies.

Security's Vantage Point
Even if security and marketing are on the same page, they don't exist in a vacuum; their needs are intertwined with software development and support, as well as compliance, which is why the current DevSecOps paradigm matters so much in the first place.

If marketing were brought into the process, it could help developers intimately understand the end user's needs. IT could help marketing procure the cloud apps and other necessary pieces for new consumer-facing offerings along company protocols, and lend its expertise in selecting the right mix of public-private cloud services and administering them efficiently.

Regulatory compliance teams will still need to ensure that end products adhere not just to GDPR or California's forthcoming data privacy law (which goes into effect 2020), but also myriad other regulations around the world that differ widely in scope and statutes.

Why should security tie all of this together? Because the department is arguably already deeper into each stakeholder's affairs than any other department. Security knows how to bake breach-defense elements into new offerings in the early development stages fast enough to capitalize on increasingly fleeting windows of market opportunity. Privacy has also become inextricably linked with security, forcing the infosec team to get into the bunker with compliance to help ward off regulatory fines.

If DevSecOps stakeholders don't include marketing — or worse, let marketing continue to think it is safe to take IT procurement in its own hands — organizations could face a variety of security, compliance, operational, legal, and business risks. It's up to security to incorporate marketing and balance everyone's overall needs for the good of the organization.

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jim spearheads customer identity and access management company Janrain's vision, strategy and worldwide operations. He is a seasoned entrepreneur with more than 31 years of experience in complex enterprise technology, including 10 years as a startup CEO leading companies from ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Marc250
100%
0%
Marc250,
User Rank: Apprentice
10/30/2018 | 3:23:44 PM
God, please, no; stop this bullshit.
I don't think I've ever read that amount of business bullshit, but I knew it was coming when I first saw DevOps concept. Of course you want people to do myriads of things under one job position because of savings, but true specialists and experts will remain in their area of expertise, so - ultimately - crap like MarDevSecFinJanitorChefOps concepts has to die. The more things you do, the less solid results are. It is inevitable. Laws of physics.
<<   <   Page 2 / 2
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11674
PUBLISHED: 2019-10-22
Man-in-the-middle vulnerability in Micro Focus Self Service Password Reset, affecting all versions prior to 4.4.0.4. The vulnerability could exploit invalid certificate validation and may result in a man-in-the-middle attack.
CVE-2019-12967
PUBLISHED: 2019-10-22
Stephan Mooltipass Moolticute through 0.42.1 (and possibly earlier versions) has Incorrect Access Control.
CVE-2019-17189
PUBLISHED: 2019-10-22
totemodata 3.0.0_b936 has XSS via a folder name.
CVE-2019-4523
PUBLISHED: 2019-10-22
IBM DB2 High Performance Unload load for LUW 6.1 and 6.5 is vulnerable to a buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with root privileges. IBM X-Force ID: 165481.
CVE-2019-17424
PUBLISHED: 2019-10-22
A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.