Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

3/4/2020
02:00 PM
John Worrall
John Worrall
Commentary
100%
0%

CISOs Who Want a Seat at the DevOps Table Better Bring Value

Here are four ways to make inroads with the DevOps team -- before it's too late.

Throughout a series of recent conversations that I've had with CISOs, a common question has emerged: "How do I get a seat at the DevOps table?"

It's an understandable challenge that many security leaders are grappling with today. Too often, security teams are unaware of what's in their organization's application pipeline until after it's pushed to production. Only then can they assess any potential risk introduced to the business, while simultaneously scrambling to take appropriate action.

To be in the room where it happens, to get that coveted invitation to the DevOps table — and keep your seat for the long run — you must contribute real value. It's not enough to simply be there. It requires a balanced give-and-take.

Adding value happens in different ways. Regarding business, security teams provide essential risk management and mitigation services to organizations, but from the DevOps perspective, more is needed. Security teams need to design programs and introduce solutions that can keep pace with the DevOps workflow. In a word, security needs to bring speed. Here are four ways to make that happen.

1. Forge Relationships
Sure, you can sit in on a few development conversations. It's a great way to initiate efforts around effectively securing applications and infrastructure. You'll learn a lot and maybe even share a few best practices on secure coding. But cultivating collaborative, mutually beneficial relationships requires much more. You have to make the time and effort to get to know your development counterparts. Get smart on DevOps fundamentals, read what they're reading, participate in regular demos, and understand what keeps them up at night, what excites them most about their work. These personal relationships and bits of insider knowledge will help you develop strong security strategies and implement the right solutions to help DevOps teams maintain velocity.

2. Champion Innovation
CISOs and security leaders, it's up to you to reverse the long-held perception of security as a barrier to innovation and growth. In fact, a recent Harvard Business Review Analytic Services study found 73% of respondents believe a CISO's ability to recognize and nurture innovation is "very important." By building relationships with the DevOps team, CISOs can begin to proactively anticipate their evolving needs, get involved in new DevOps initiatives at the start (instead of coming on board after issues are discovered) and even spearhead efforts to adopt new approaches that help drive innovation and speed processes — safely.

3. Speak Their Language
According to Gartner, "CISOs must apply rigor and perspective to the business orientation, cost and value of risk management and cybersecurity." Much has been written on the importance of CISOs "speaking the language of business" by communicating risk in terms of dollars and cents to executive teams and boards. But it can't stop there. Today's CISOs must also speak the language of DevOps. Risk must be communicated in terms of speed. Consider this line as an example: "If we wait to address vulnerabilities after they're uncovered late in the software development life cycle, you'll need to go back, reopen the code that you wrote, refresh your memory on the logic you built, and pinpoint the specific module that's causing a problem. This unnecessary backtracking is going to waste time and slow things down."

4. Deliver Solutions with Value
The primary purpose of the DevOps approach is to speed the development and release of software. It's a comprehensive, continuous process, and increasing speed demands orchestration and automation. To deliver real value to DevOps teams, security must adopt similarly agile methodologies. This means integrating application risk management seamlessly into the entire DevOps process, instead of emerging at inopportune times to fix software and infrastructure vulnerabilities as they surface. It means embracing tools that are fully transparent to developers but also allow them to maintain existing workflows. Such tools should be able to orchestrate and automate the discovery and prioritization of vulnerabilities, speed remediation efforts, and provide a single, consolidated view of risk. 

Finding ways to empower DevOps at the speed of business is key to bridging the gap between security and development teams. By providing a security overlay to the pipeline platforms developers already use — from GitHub and GitLab to Azure DevOps and BitBucket — and sharing risk and remediation advice in these platforms' native forms, developers can focus on what matters. That is, the rapid development of high-quality software that drives competitive business and promises a safer, more productive society.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "With New SOL4Ce Lab, Purdue U. and DoE Set Sights on National Security."

John Worrall has more than 25 years of leadership, strategy, and operational experience across early stage and established cybersecurity brands. In his current role as CEO at ZeroNorth, he leads the company's efforts to help customers bolster security across the software life ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13616
PUBLISHED: 2020-05-26
The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS hostname verification.
CVE-2020-13614
PUBLISHED: 2020-05-26
An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.
CVE-2020-13615
PUBLISHED: 2020-05-26
lib/QoreSocket.cpp in Qore before 0.9.4.2 lacks hostname verification for X.509 certificates.
CVE-2020-9046
PUBLISHED: 2020-05-26
A vulnerability in all versions of Kantech EntraPass Editions could potentially allow an authorized low-privileged user to gain full system-level privileges by replacing critical files with specifically crafted files.
CVE-2020-12388
PUBLISHED: 2020-05-26
The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8 and Firefox < 76.