FEATURE
both of these principles in tandem. This
can be done by embracing cultures such
as DevSecOps.
be part of how ‘success’ is defined as
ownership of process is a significant
component of the DevOps culture.
Can you offer a breakdown of
how CISOs/organisations can
achieve success in DevSecOps?
Success will ultimately boil down to an
improvement in security metrics and
will likely follow a phased approach.
Defining those metrics will be a joint
effort between CISO/CSO/CTO and the
teams involved. Importantly, a rubric
like that from the BSIMM or OWASP
communities can help identify areas
of security strengths and weaknesses
with the current teams. Armed with an
understanding of these strengths and
weaknesses, a CISO can then begin to
identify areas for investment and define
metrics to measure progress. While it’s
tempting to solve these problems with
tools, if teams are following a DevOps
culture or just experimenting with Agile
www.intelligentciso.com
|
Issue 22
development practices, making key
personnel from a DevOps or Agile team
stakeholders will help increase support
for your transition to a DevSecOps model.
BHARAT
BHARAT MISTRY,
MISTRY, PRINCIPAL
PRINCIPAL
SECURITY
SECURITY STRATEGIST
STRATEGIST AT
AT
TREND
TREND MICRO
MICRO
How can organisations achieve
success in DevSecOps?
Companies are facing a tough
challenge: continuously develop
products and services to meet user
demand, while ensuring comprehensive
security in the face of ever increasing
and complex cyberthreats.
Organisations shouldn’t have to make
a choice between security and agile
development and, in order to achieve
long-term success, need to consider
Success in DevSecOps can be
succinctly broken down into three main
principles. The first is the development
of a mindset within organisations, where
developers and operations see security
as part of their responsibilities, rather
than it being siloed as a priority for
Infosec teams. Executive or board level
sponsorship is essential to driving a
blame-free culture that promotes cross-
silo goals and incentivises collaboration,
thus reducing the ‘Not My Job’
philosophy that often halts DevSecOps.
Secondly, businesses need to have
the right processes in place to identify
the ways to apply security without
compromising agility. Finally, businesses
must have the right technology in place
to identify the best solutions.
Companies who are able to embed
security into their pipeline in an
automated way will soon see the true
value in delivering innovative applications
to their customers. Those that fail to do
this will soon notice the friction from a
disconnect between development and
security, having to spend time altering
security issues that are identified
after deployment. Traditional Infosec
teams need to look at closing the gap
by integrating with developers and
operations team more closely, and
should not just be seen as an additional
step in the delivery pipeline, in order to
achieve DevSecOps success. u
39