Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


checkLoop 1
10:00 AM
Lamont Orange
Lamont Orange
Connect Directly
E-Mail vvv

DevSecOps: The Answer to the Cloud Security Skills Gap

There's a skills and resources gap industrywide, but a DevSecOps approach can go a long way toward closing that gap.

Digital transformation is driving change in every corner of the security industry. Organizations are evolving and expanding into the cloud rapidly, but their security teams and legacy data centers are holding them back. A skills and resources gap exists industrywide, but implementing a DevSecOps approach is key toward bridging that gap. 

DevSecOps, an inherently agile and nimble approach to security, is well suited for a more cloud-enabled future. Bringing together formerly isolated teams under one function allows security to be built in throughout the development process, also known as security by design, meaning that security can be more than an afterthought at the beginning and the end. 

But DevSecOps only works if organizations are willing to give their teams the resources and tools to successfully bridge those skill and resource gaps. Before you change your direction, you first need to address the issues with your current posture, understand the capacity of your current security teams, and find a guiding principle to drive your development. Here's where to start.

New Solution, Same Old Mistakes
Faced with the evolving threats brought on by digital transformation, organizations need to be aware of their existing postures and shortcomings in protecting their data.

This means asking questions about how you can improve your security posture in the cloud and rethink your best practices, finding the elements that are most germane to your organization. Instead of using the monolithic code that lived inside your data center, you have to architect your infrastructure from the beginning to continuously monitor based around these principles.

Because of digital transformation, your security posture will change and your best practices will need to be tweaked. Having a DevOps team that is questioning the past, and improving your security posture throughout this iterative transformation will pay off as your organization continues to scale.

Cloud-enabled security is meant to be iterative. It's a foregone conclusion that you're going to have incidents, but a DevSecOps team that is constantly iterating can catch them faster and fix issues as they come up. The security exists throughout the process, not just at the endpoints. This is the goal.

After solving this problem, you then need to make sure you have the right team for the job.

Mind the Skills Gap
I've talked with many organizations that tell me they've been doing DevOps for a long time, but that's often not entirely true. Sure, they have people monitoring their data centers, making sure the lights on the boxes are still blinking, but they aren't actually digitally transforming that team. As security moves into the cloud, that team is going to be responsible for rebuilding that infrastructure in the cloud, and if security isn't a part of the conversations around this infrastructure, organizations are missing a huge opportunity.

When organizations decide they want to do DevSecOps, they turn to a team, be it development, operations, or security, and tell them they need to get on board with transforming, often without the proper skills, resources, or guidelines. You need to know your DevOps teams' comfort level with security, and around digital transformation. For example, if they don't know about serverless infrastructure, beyond the obvious, then you're in for trouble.

Expecting a team to exclusively learn on the fly is basing a strategy on hope, which is always doomed to fail. Instead, take your spare moments and offer your DevSecOps team opportunities to learn from their blind spots, whether with additional certifications or shadowing. It doesn't have to be perfect, but every bit helps. This way, they are constantly getting better and modernizing, improving themselves as they improve your security infrastructure. 

Find the North Star 
DevSecOps can only help solve for issues if you have a guiding principle, or north star, for what you're trying to accomplish.  Doing this means making sure you know how you're implementing and improving your security posture in the cloud.

It's important to factor in security as you go, and embody visibility and contextual application of controls. For a long time, security teams pushed for access within the enterprise perimeter, but the transition to cloud computing is making all of that access obsolete, clouding their visibility and the effectiveness of how perceived controls will work in the cloud.

DevSecOps is all about consolidating teams to pool resources, better leverage skills, and realize unified goals and perspectives, which are key. And as I noted earlier, this doesn't have to be perfect.  Success with DevSecOps comes with being cloud curious and learning what matters most to your organization. This is an opportunity to take a modernized security stack to the cloud, in addition to business innovation. It's a fresh start to security, forecasting increased visibility and contextual controls applied at scale, all while supporting the agility of the business, all of which makes for a well-defined transformation. The lessons learned are:

  • If you're not transforming your security teams and capabilities, you're falling behind.
  • If you're resting on your existing security capabilities, you're going blind.
  • Context is key, resistance to change is not innovative, and most of your traffic is traversing the Web.

You're going to have bumps along the way, and have to iterate, but each iteration will make your DevSecOps team learn and better prepared for whatever the next threat presents.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "8 Backup & Recovery Questions to Ask Yourself."

Lamont Orange has more than 20 years of experience in the information security industry, having previously served as vice president of enterprise security for Charter Communications (now Spectrum) and as senior manager for the security and technology services practice at ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
11/22/2019 | 4:02:37 PM
Completely agree!
Lamont -- Great article and I couldn't agree more--DevSecOps goes a long way towards helping with the crushing skills gap. As you said "... DevSecOps only works if organizations are willing to give their teams the resources and tools to successfully bridge those skill and resource gaps." In speaking with organizations, we see that many of them today have between 12 and 15 application security and testing tools in use. And each tool often requires its own separate team for management. This obviously exacerbates constrained resources, and this is where we've seen the benefits of orchestration come in. By eliminating the need to manually evaluate, deploy and manage all of these scanning and testing tools, lean security teams can refocus their effort and skills on projects more critical to the business. In many organizations, we've seen this shift have residual benefits such as empowering a more satisfied, productive workforce and reducing employee churn. Lamont, let me know if you would like to connect live to discuss this further. John Worrall, ZeroNorth
User Rank: Author
11/17/2019 | 3:32:40 AM
Interesting article
Interesting article
User Rank: Apprentice
11/17/2019 | 12:24:16 AM
thank pro
thank so much
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-13
stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has a heap-based buffer over-read in stbi__load_main.
PUBLISHED: 2019-12-13
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer over-read in the function load_sixel at loader.c.
PUBLISHED: 2019-12-13
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of pa...
PUBLISHED: 2019-12-13
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publi...
PUBLISHED: 2019-12-13
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain...
checkLoop 2