Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

3/4/2020
02:00 PM
John Worrall
John Worrall
Commentary
100%
0%

CISOs Who Want a Seat at the DevOps Table Better Bring Value

Here are four ways to make inroads with the DevOps team -- before it's too late.

Throughout a series of recent conversations that I've had with CISOs, a common question has emerged: "How do I get a seat at the DevOps table?"

It's an understandable challenge that many security leaders are grappling with today. Too often, security teams are unaware of what's in their organization's application pipeline until after it's pushed to production. Only then can they assess any potential risk introduced to the business, while simultaneously scrambling to take appropriate action.

To be in the room where it happens, to get that coveted invitation to the DevOps table — and keep your seat for the long run — you must contribute real value. It's not enough to simply be there. It requires a balanced give-and-take.

Adding value happens in different ways. Regarding business, security teams provide essential risk management and mitigation services to organizations, but from the DevOps perspective, more is needed. Security teams need to design programs and introduce solutions that can keep pace with the DevOps workflow. In a word, security needs to bring speed. Here are four ways to make that happen.

1. Forge Relationships
Sure, you can sit in on a few development conversations. It's a great way to initiate efforts around effectively securing applications and infrastructure. You'll learn a lot and maybe even share a few best practices on secure coding. But cultivating collaborative, mutually beneficial relationships requires much more. You have to make the time and effort to get to know your development counterparts. Get smart on DevOps fundamentals, read what they're reading, participate in regular demos, and understand what keeps them up at night, what excites them most about their work. These personal relationships and bits of insider knowledge will help you develop strong security strategies and implement the right solutions to help DevOps teams maintain velocity.

2. Champion Innovation
CISOs and security leaders, it's up to you to reverse the long-held perception of security as a barrier to innovation and growth. In fact, a recent Harvard Business Review Analytic Services study found 73% of respondents believe a CISO's ability to recognize and nurture innovation is "very important." By building relationships with the DevOps team, CISOs can begin to proactively anticipate their evolving needs, get involved in new DevOps initiatives at the start (instead of coming on board after issues are discovered) and even spearhead efforts to adopt new approaches that help drive innovation and speed processes — safely.

3. Speak Their Language
According to Gartner, "CISOs must apply rigor and perspective to the business orientation, cost and value of risk management and cybersecurity." Much has been written on the importance of CISOs "speaking the language of business" by communicating risk in terms of dollars and cents to executive teams and boards. But it can't stop there. Today's CISOs must also speak the language of DevOps. Risk must be communicated in terms of speed. Consider this line as an example: "If we wait to address vulnerabilities after they're uncovered late in the software development life cycle, you'll need to go back, reopen the code that you wrote, refresh your memory on the logic you built, and pinpoint the specific module that's causing a problem. This unnecessary backtracking is going to waste time and slow things down."

4. Deliver Solutions with Value
The primary purpose of the DevOps approach is to speed the development and release of software. It's a comprehensive, continuous process, and increasing speed demands orchestration and automation. To deliver real value to DevOps teams, security must adopt similarly agile methodologies. This means integrating application risk management seamlessly into the entire DevOps process, instead of emerging at inopportune times to fix software and infrastructure vulnerabilities as they surface. It means embracing tools that are fully transparent to developers but also allow them to maintain existing workflows. Such tools should be able to orchestrate and automate the discovery and prioritization of vulnerabilities, speed remediation efforts, and provide a single, consolidated view of risk. 

Finding ways to empower DevOps at the speed of business is key to bridging the gap between security and development teams. By providing a security overlay to the pipeline platforms developers already use — from GitHub and GitLab to Azure DevOps and BitBucket — and sharing risk and remediation advice in these platforms' native forms, developers can focus on what matters. That is, the rapid development of high-quality software that drives competitive business and promises a safer, more productive society.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "With New SOL4Ce Lab, Purdue U. and DoE Set Sights on National Security."

John Worrall has more than 25 years of leadership, strategy, and operational experience across early stage and established cybersecurity brands. In his current role as CEO at ZeroNorth, he leads the company's efforts to help customers bolster security across the software life ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.