Welcome to the debut of our brand new Modern CISO web series. This series is a platform for security leaders to gain insights from their industry peers on cyber security topics. Presented by Mark Carney, VP of Global Advisory Services at Kudelski Security and featuring Tony Spinelli, former CISO from Capital One and current Chief Operating Officer of Fractal Industries Inc., this installment revolves around cyber board communication and metrics.
Software development methodologies have seen change significantly over the last 10 years. In many companies Agile has outpaced waterfall as the development model of choice. In addition, development teams may now have their own infrastructure operations working inside the development team.
Driven by the adoption of agile, DevOps refers to a set of practices that emphasize the collaboration and communication of both software developers and IT/Infrastructure professionals while automating the process of rapid, reliable software delivery and infrastructure changes [1]. The transition to agile processes may not be consistently applied to an entire organization. Traditional support functions such as IT, of which CISO’s are often organizationally aligned, may not have changed their own processes to keep up with the changing demands of these internal customers. So where does traditional CISO guidance and long-term security strategy fit into this agile world of continuous development and deployment via infrastructure as code? CISO’s face the challenge of adapting to this changing environment or risk being left behind and unable to assess the security of their company’s software.
The OWASP foundation states that the “CISO can choose to achieve security goals through three main ways; People, Process and Technology. Focusing on one or two of them can leave the organization vulnerable” [2]. Why is it then that developers, DevOps practitioners and product owners in many organizations have little interaction with the CISO and their teams? Is it because developers perceive security teams as being slow or a block to progress? It’s certainly possible: a recent DevOps industry survey found that 65% of security respondents are in agreement that security is seen as an inhibitor to DevOps agility [3].
CISO’s and their teams can help mitigate that perception. A recent Puppet State of DevOps report says that high performing teams spend less time fixing security issues because they address security at every stage of the development process instead of trying to retrofit security at the end. In fact adding InfoSec earlier in the development process is one of the top 5 priorities that surveyed DevOps teams wish to focus on [4].
So this would appear to be a perfect time for CISO’s to collaboratively engage with their DevOps colleagues.
What are some simple steps that CISO’s can take to increase effective interaction and drive this culture of what is recently being referred to as DevSecOps?
Enable DevOps use of Cloud Services. In many companies, especially where CISO’s are part of the IT organization, they may have noticed a correlation with the adoption of a DevOps culture and the increased use of cloud services. Often DevOps infrastructure groups will prefer to integrate with feature rich AWS or other cloud based service providers rather than internally developed or administered IT platforms. Rather than simply hoping that developers are not putting the company’s data at risk on unknown test and production cloud based infrastructure, CISO’s should publish clear and practical standards and guidelines about which cloud providers can be used, how and where data should be processed to satisfy regulations such as GDPR, whether source code can be stored in the cloud, and what steps need to be taken to ensure security and compliance. Keep these documents simple, up to date and ask for input from DevOps teams when drafting to ensure current usage is established.
Embrace Continuous Integration and Delivery. Back when Waterfall was the only game in town, it was easy to insert manual security checks into the master development schedule. Perhaps one after Alpha, another around Beta and maybe a PenTest. Tools didn’t need to integrate or even be connected in any way to the overall development tool chain. Someone could be assigned to run a scan and an impressive report could be generated so the appropriate completion checkbox could be marked on a master project checklist. With the ability to do multiple builds and deployments per day based on a feature backlog, there needs to be a reliance on integrated lightweight security tools that are seamless in the overall process and do not cause bottlenecks. The good news for CISO’s is that all of this process is scripted and automated and leaves very tangible evidence in the form of event logs and owners. If this automation is correctly enabled, DevOps makes it easier to have auditable recorded segregation of roles between development and production.
Show me the Money. Depending on your organization and if specific tools are being recommended for development teams to use, it’s worth keeping in mind that many of these can run into high six figure amounts. In many cases, these are not budgeted by development leaders and difficult choices may need to be made to balance InfoSec compliance versus what developers are measured on, namely on-time, quality product delivery. Sometimes cheap or free alternative tools must be used instead of expensive, comprehensive alternatives because of cost. These cheaper tools may not mitigate vulnerabilities as well as better, more expensive tools. If CISO’s can bring some money to the table, it can often make preferred solutions for risk mitigation a lot more palatable.
Get Involved. Depending on how Agile is being implemented in your company, there will usually be an event, or Sprint Demo, every couple of weeks. This is a chance for all interested stakeholders to see what has been completed in the previous sprint and to offer input or guidance. This is a perfect opportunity for a CISO or his/her team to get real-time insight into what is happening and to offer leadership on what might be missing from a security and compliance point of view. Many teams even record their Sprint Demo’s and they can be viewed offline – ask your development teams to see how this is handled where you work.
Become the Product Owner’s Friend. In Agile development, unless a feature or requirement is in the product backlog it will not be acted upon. A CISO can work with an agile product owner who owns the master backlog to explain the importance of security, and work collaboratively to add security specific epics to the master product backlogs. The CISO can also advise on what criteria must be met for final acceptance.
Command an Army of Champions! A neat idea I’ve seen in many companies is for there to be a developer assigned the role of security champion in each of the main development teams. By involving these champions, it allows a CISO to have a more focused conversation around the challenges, a chance to solicit input and an opportunity to identify teams that could pilot new approaches and drive change from the bottom up.
I hope this blog has given CISO’s some ideas about how to work collaboratively with development and infrastructure operations teams. I’d welcome your feedback and comments about what has worked well for you and what you might try differently to keep your development organizations secure.
