Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Jim Kaskade
Jim Kaskade
Connect Directly
E-Mail vvv

The Case for MarDevSecOps

Why security must lead the integration of marketing into the collaborative security and development model in the cloud.

Over the past several years, organizations have done themselves a favor by integrating security into cloud operations, aka DevOps. Evolving DevOps into DevSecOps by weaving security in with software development and administration has proven to be a no-brainer, especially as the firewall boundary extends beyond the traditional edge with public cloud services.

Because of the organizationally wide consumption of cloud services, DevSecOps is empowering not only the developer community but also marketing organizations. It's showing that cloud can be the force that breaks down silos and delivers on companies' need for speed. The shadow IT that has been supporting marketing behind the scenes can finally come together in the light of day under a single force — MarDevSecOps.

MarDevSecOps may not roll off the tongue, and we're not advocating that shadow IT persist with such a term. However, organizations now need to involve marketing in the development process more than ever — especially if they want to make sure consumer-facing digital products and services can withstand hacking and phishing attempts, and are free of dangerous vulnerabilities, while adhering to the European Union's General Data Protection Regulation (GDPR) and other emerging global privacy regulations. It will be up to security to make sure this incorporation of marketing goes smoothly.

Security personnel are already realizing that their vantage point puts them at an important nexus where all of these stakeholders meet. Earlier this year, the CISO of a major consumer packaged goods company told me that "trust is the new currency." The comment came up in the context of the GDPR's mandate to obtain consumers' explicit consent before marketing to them electronically. But he meant it to encompass the notion that all customer activity must be kept secure, private, and compliant with privacy regulations.

Bringing Marketing Tech Out of the Shadows
Security has quietly harrumphed as marketing widened shadow IT over the years through purchases of largely cloud-based apps; marketing found it quicker to bypass IT in order to add the functionality needed to stay competitive in a fast-evolving consumer landscape. Although the makers of these cloud apps often bake security into their offerings from the earliest stages of design, it is still a lot of work to incorporate their finished products into CISOs' and CIOs' security and governance workflows.

Ironically, that same driver — time to market — is now bringing marketing back to IT and security. Marketing understands that organizations can't have bugs or security holes in the ever-changing products and services at the heart of their customer experiences. With breaches so common that they hardly register as news, no one needs convincing of the importance of having the highest levels of botnet and DDoS-attack prevention, brute-force-attack recognition, intrusion-detection capabilities, and fraud analytics. But how do companies instill these features into every facet of the omnichannel customer journey without disrupting the end user experience?

This is where security's knowledge is indispensable, particularly in organizations that invest heavily in keeping up with best practices and obtaining the highest levels of certification from the tech industry's most respected independent standards agencies.

Security's Vantage Point
Even if security and marketing are on the same page, they don't exist in a vacuum; their needs are intertwined with software development and support, as well as compliance, which is why the current DevSecOps paradigm matters so much in the first place.

If marketing were brought into the process, it could help developers intimately understand the end user's needs. IT could help marketing procure the cloud apps and other necessary pieces for new consumer-facing offerings along company protocols, and lend its expertise in selecting the right mix of public-private cloud services and administering them efficiently.

Regulatory compliance teams will still need to ensure that end products adhere not just to GDPR or California's forthcoming data privacy law (which goes into effect 2020), but also myriad other regulations around the world that differ widely in scope and statutes.

Why should security tie all of this together? Because the department is arguably already deeper into each stakeholder's affairs than any other department. Security knows how to bake breach-defense elements into new offerings in the early development stages fast enough to capitalize on increasingly fleeting windows of market opportunity. Privacy has also become inextricably linked with security, forcing the infosec team to get into the bunker with compliance to help ward off regulatory fines.

If DevSecOps stakeholders don't include marketing — or worse, let marketing continue to think it is safe to take IT procurement in its own hands — organizations could face a variety of security, compliance, operational, legal, and business risks. It's up to security to incorporate marketing and balance everyone's overall needs for the good of the organization.


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jim spearheads customer identity and access management company Janrain's vision, strategy and worldwide operations. He is a seasoned entrepreneur with more than 31 years of experience in complex enterprise technology, including 10 years as a startup CEO leading companies from ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
10/30/2018 | 3:23:44 PM
God, please, no; stop this bullshit.
I don't think I've ever read that amount of business bullshit, but I knew it was coming when I first saw DevOps concept. Of course you want people to do myriads of things under one job position because of savings, but true specialists and experts will remain in their area of expertise, so - ultimately - crap like MarDevSecFinJanitorChefOps concepts has to die. The more things you do, the less solid results are. It is inevitable. Laws of physics.
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header.
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows malicious redirection.
PUBLISHED: 2020-05-25
EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.