How do you promote security as a fundamental aspect of DevOps in your organization?

Security & GRCDevOps
976 views1 Upvote7 Comments
Staff Security Engineer in Software, 11 - 50 employees
We're just starting to talk to customers and reach out. The customers have all these questions for us, "Hey, what data of ours do you have? Where are you tracking it? Where are you putting it? How are you restricting who has access to it? Are you doing your annual pen test, and your monthly or weekly, or whatever scans to make sure you don't have any vulnerabilities?" The thing is, if you don't have somebody who comes in and tells you that it's important to [have good security practices], then you're going to do the bare minimum. If you have to answer no on some of these questions, it makes it really obvious that having good security hygiene is actually a sales driver. Not only does it make good sense because you're being a good steward of your customer's data, but it's also going to help you make the money through sales, because your customers are going to trust that you're at least doing the obvious things to get yourself in shape to protect their data.
1 1 Reply
CTO in Software, 11 - 50 employees

I've called this the Sarbanes Oxley controls around security, “Do you do what you say you do at the highest level?” I found most companies and enterprises aren't able to articulate proper controls. They have policies in place, but they have no visibility about whether or not those policies are applied.

Senior Director of Software, Applications and Analytics in Software, 5,001 - 10,000 employees
You need a multi-pronged approach, especially if the culture is used to the old ways where it was kind of like a handoff to some security organization: they certified it, and blessed it, and it got deployed somewhere, or delivered somewhere. Obviously things have changed. Of course with culture, leadership has to support it. They've got to walk the walk and talk the talk about the importance of security, and really put the culture in the position of, "You're part of the solution, and here's why. Here's what it impacts if you're not." That seems to resonate with people. The more you demonstrate that approach and that posture as a leader, the more buy-in you get over time. The other piece of it is that traditionally security has been more of like a handoff organization: the silo within the organization itself. It really has to be integrated. This could be having more people and more roles to support it within each component of the organization, but there's also another way to think about it: security engineers, architects, etc., are more like consultants to every team. So you might start that way, and see how it grows with communities of practice, or communities of interest within the organization. How can those people that are creating that movement around security and DevSecOps, based on a leader's vision of where the security posture needs to be, get others to join in with them and start the practice? They need to determine learnings, best practices, and what can be created, and share that with the rest of the people in the organization. Over time, it starts to get people more engaged, and they have more resources, and more people singing the same tune. It takes time, especially in the legacy culture and legacy programs, to get that thing going. But that's where we've seen some success with getting people on board with you.
1
President and National Managing Principal in Software, 501 - 1,000 employees
One of the advancements that has helped DevSecOps is this new role of product security officer. A business security officer. They're taking security out of IT, and companies are defining specific roles. IT is still important and there is a CSO, or an IT security officer, but you have this product security officer who's there to say, "Hey, make sure our product is secure, make sure our product meets the customer's specification requirements." However much you pay a product security officer, is probably going to be less than companies have invested in all the tools that don't get used. That product security officer connects more to the customer, but they also define the requirements around security and enforce that ongoing testing and evaluation. At least from a product perspective.
Staff Security Engineer in Software, 11 - 50 employees
One of the key tenets of DevOps to me is empathy. If we, as security people, don’t embrace that aspect, then we will forever be seen as the “team of no”, and people won’t want to work with us.  Being the people who come in with the restrictions and the rules without understanding the reasons for the previous architecture decisions won’t win us any friends or allies.
Director of IT in Transportation, 5,001 - 10,000 employees
We have the borderline of compliance issues we stick to when set up controls.  The security is also monitoring issues so it is easier to work with standards.
Chief of DevOps and Partner in Healthcare and Biotech, 1,001 - 5,000 employees
1. Educate the teams
2. Implement Security measures
3. Integrate and automate them 
4. Conduct regular security audits 
5. Foster a culture of security 
6. Continous security monitoring
7. Continous improvement 

Content you might like

Is there a disconnect between security leaders and the businesses they serve?

Security & GRCBoard EngagementInternal CXO Relationships

Yes, most security leaders.25%

Yes, some security leaders.61%

No10%

Not sure2%


360 PARTICIPANTS
1k views1 Comment

Would anyone be willing to share best practices about how their organization deals with ensuring Cookie Compliance, specifically to GDPR rules? Where should this sort of compliance review sit in an organization? The particular issue we have is who should review new web deployments that use cookies and to make the decisions on whether Cookies are Strictly Necessary or Functionality Cookies. For example is a Cookie required for a Live Chat to work Functionality or Strictly Necessary? Our Security team does not consider taking on these compliance reviews as their domain, as Cookie Compliance is not an internal security matter and the Data Protection team has a limited interest as the GDPR rules around Cookies apply in case of any Cookie being used by a website, whether or not it contains personal data. 

Security & GRCRegulatory Compliance
308 views1 Comment

Which EDR has less false positives?

Security & GRCIT Strategy & RoadmapSecurity Strategy & Roadmap

crowd strike34%

sentinel one61%

carbon black5%

cynet0%


44 PARTICIPANTS
347 views

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
142 19 Replies
Read More Comments
46.6k views133 Upvotes324 Comments

Does the risk of Ransomware and malware propagation bother you? Is IoT security a top of mind for you? To protect against many risks, we have witnessed success of micro-segmentation in the data center. Would you be willing to deploy similar solution for the campus? I am very curious to get your feedback?

Security & GRCThreat & Vulnerability Management
Read More Comments
3.4k views5 Upvotes5 Comments