Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

3/4/2020
02:00 PM
John Worrall
John Worrall
Commentary
100%
0%

CISOs Who Want a Seat at the DevOps Table Better Bring Value

Here are four ways to make inroads with the DevOps team -- before it's too late.

Throughout a series of recent conversations that I've had with CISOs, a common question has emerged: "How do I get a seat at the DevOps table?"

It's an understandable challenge that many security leaders are grappling with today. Too often, security teams are unaware of what's in their organization's application pipeline until after it's pushed to production. Only then can they assess any potential risk introduced to the business, while simultaneously scrambling to take appropriate action.

To be in the room where it happens, to get that coveted invitation to the DevOps table — and keep your seat for the long run — you must contribute real value. It's not enough to simply be there. It requires a balanced give-and-take.

Adding value happens in different ways. Regarding business, security teams provide essential risk management and mitigation services to organizations, but from the DevOps perspective, more is needed. Security teams need to design programs and introduce solutions that can keep pace with the DevOps workflow. In a word, security needs to bring speed. Here are four ways to make that happen.

1. Forge Relationships
Sure, you can sit in on a few development conversations. It's a great way to initiate efforts around effectively securing applications and infrastructure. You'll learn a lot and maybe even share a few best practices on secure coding. But cultivating collaborative, mutually beneficial relationships requires much more. You have to make the time and effort to get to know your development counterparts. Get smart on DevOps fundamentals, read what they're reading, participate in regular demos, and understand what keeps them up at night, what excites them most about their work. These personal relationships and bits of insider knowledge will help you develop strong security strategies and implement the right solutions to help DevOps teams maintain velocity.

2. Champion Innovation
CISOs and security leaders, it's up to you to reverse the long-held perception of security as a barrier to innovation and growth. In fact, a recent Harvard Business Review Analytic Services study found 73% of respondents believe a CISO's ability to recognize and nurture innovation is "very important." By building relationships with the DevOps team, CISOs can begin to proactively anticipate their evolving needs, get involved in new DevOps initiatives at the start (instead of coming on board after issues are discovered) and even spearhead efforts to adopt new approaches that help drive innovation and speed processes — safely.

3. Speak Their Language
According to Gartner, "CISOs must apply rigor and perspective to the business orientation, cost and value of risk management and cybersecurity." Much has been written on the importance of CISOs "speaking the language of business" by communicating risk in terms of dollars and cents to executive teams and boards. But it can't stop there. Today's CISOs must also speak the language of DevOps. Risk must be communicated in terms of speed. Consider this line as an example: "If we wait to address vulnerabilities after they're uncovered late in the software development life cycle, you'll need to go back, reopen the code that you wrote, refresh your memory on the logic you built, and pinpoint the specific module that's causing a problem. This unnecessary backtracking is going to waste time and slow things down."

4. Deliver Solutions with Value
The primary purpose of the DevOps approach is to speed the development and release of software. It's a comprehensive, continuous process, and increasing speed demands orchestration and automation. To deliver real value to DevOps teams, security must adopt similarly agile methodologies. This means integrating application risk management seamlessly into the entire DevOps process, instead of emerging at inopportune times to fix software and infrastructure vulnerabilities as they surface. It means embracing tools that are fully transparent to developers but also allow them to maintain existing workflows. Such tools should be able to orchestrate and automate the discovery and prioritization of vulnerabilities, speed remediation efforts, and provide a single, consolidated view of risk. 

Finding ways to empower DevOps at the speed of business is key to bridging the gap between security and development teams. By providing a security overlay to the pipeline platforms developers already use — from GitHub and GitLab to Azure DevOps and BitBucket — and sharing risk and remediation advice in these platforms' native forms, developers can focus on what matters. That is, the rapid development of high-quality software that drives competitive business and promises a safer, more productive society.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "With New SOL4Ce Lab, Purdue U. and DoE Set Sights on National Security."

John Worrall has more than 25 years of leadership, strategy, and operational experience across early stage and established cybersecurity brands. In his current role as CEO at ZeroNorth, he leads the company's efforts to help customers bolster security across the software life ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15270
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
CVE-2018-21266
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2018-21267
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-27673
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVE-2020-27674
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.