Evelyn de Souza Secure Business Agility
Evelyn de Souza

The First Steps on a CISOs DevOps Journey

CISOs DevOps

The marriage between DevOps and Security is rapidly gaining traction. Security is shifting from its former mindset of being its own silo to getting on the same agenda as their developer counterparts. For CISOs the opportunity to get security baked in has never been as achievable, but they need to focus on building that synergistic foundation between DevOps and Security. Following are some Golden Rules for CISOs looking to make the most of the agility DevOps brings:

The first step is developing a mutual understanding. To get on the same page as your development team figure out:

  • What their business goals are
  • How they are going to meet their goals with their DevOps pipeline
  • What tools they are using
  • What kind of efficiencies they are looking to achieve

Then align security to support DevOps in each of those areas.

Conversely, ensuring that DevOps understands Security’s goals and is actively looking to ensure compliance to the organization’s security policies. The DevOps paradigm is a key opportunity to get compliance policies built in earlier into the software development cycle through closer collaboration with developers.

  1. Build trust and credibility: Related to the first step, after you understand your developers’ end game, do what you tell them you are going to do, and understand and empathize with their struggles. This makes it much easier to create a climate of mutual understanding and trust.
  2. Embed security into the overall developer chain: It not only speeds up the development process, it makes it more secure. However, DevOps needs a compelling case to put in the required effort and Security has to come to the table as a collaborator versus with a list of demands. For example,
    1. Ensure that access to GitHub repositories is not broader than required and that developers are careful with login credentials per this being a noted breach vector
    2. Automate and where not possible conduct manual system and network security assessments are built into the software development lifecycle
    3. Work with developers to ensure the passwords are compliant, that they are being rotated
    4. Apply encryption at rest, in use and in transit
  1. Get involved in open source. Increasingly developers and companies are relying on open source software. However, there’s no standard way of documenting security in open source projects so it becomes important to build security into the development process and check and re-check applications for vulnerabilities. The upside for CISOs is that through utilizing open source software they get the opportunity for many eyes to look over their software and therefore, bugs and vulnerabilities get discovered faster.
  2. Treat security as an ever-changing practice that one has to stay on top off and alter practices as the landscape changes. Organizations that offer developers and security teams the opportunity to cross-train will find that they develop security-conscious developers and security teams that are business focused. This is an opportunity for security teams to come up to speed with developer tool such as Chef and Puppet while developers get to learn about vulnerability management and other security tools and practices.

By Evelyn De Souza

Evelyn de Souza Contributor
Leading Influencer
Evelyn de Souza focuses on developing industry blueprints that accelerate secure cloud adoption for business as well as everyday living. She currently serves as the Chair of the newly formed Cloud Security Alliance (CSA) data governance and privacy working group. Evelyn was named to CloudNOW's Top 10 Women in Cloud Computing for 2014 and SVBJ’s 100 Women of Influence for 2015. Evelyn is the co-creator of Cloud Data Protection Cert, the industry's first blueprint for making data protection "business-consumable” and is currently working on a data protection heatmap that attempts to streamline the data privacy landscape.
follow me
Daren Glenister

Cyber Security Tips For Digital Collaboration

Cyber Security Tips October is National Cyber Security Awareness Month – a joint effort by the Department of Homeland Security and private industry to ensure ...
Safeguarding Data Before Disaster Strikes

Safeguarding Data Before Disaster Strikes

Safeguarding Data  Online data backup is one of the best methods for businesses of all sizes to replicate their data and protect against data loss ...
Mark Casey Apcela

Industrial IoT will reshape network requirements

Industrial IoT The hype around IoT may have been surpassed this year by breathless coverage of topics such as artificial intelligence and cryptocurrencies, but there ...
Vibhav Agarwal

Principles of an Effective Cybersecurity Strategy

Effective Cybersecurity Strategy A number of trends contribute to today’s reality in which businesses can no longer treat cybersecurity as an afterthought. These include a ...
How Formal Verification Can Thwart Change-Induced Network Outages and Breaches

How Formal Verification Can Thwart Change-Induced Network Outages and Breaches

How Formal Verification Can Thwart  Breaches Formal verification is not a new concept. In a nutshell, the process uses sophisticated math to prove or disprove ...
BBC Tech

Play store apps to be scanned for malware

Google is beefing up the way it checks if any of the apps uploaded to its Play store are malicious. All new apps will be scanned by malware-spotting tools from three ...
MIT tech review

Facebook says it’s getting better at weeding out child sex abuse images

Facebook has revealed a huge jump in child sex abuse images uploaded to the website: 11.6 million pieces of content from July to September this year, versus 6.9 million from ...
Samsung

Experts Discuss Taking AI to the Next Level at Samsung AI Forum 2019

Samsung AI Forum 2019 Samsung Electronics is committed to leading advancements in the field of artificial intelligence (AI), with the hopes of ushering in a brighter future. To discuss what the ...