I attended two and a half days of the RSA security conference last week and I’d like to share my first-timer perspective with you.
The opening keynote challenged Information Security to reorganize to collaborate better with users, business, risk, and IT teams.
My post-conference perspective is that this challenge is largely ahead of us. Feels like where ‘devops’ or ‘agile infrastructure’ was in the late 2000s when 10 deploys per day was an astounding feat.
Conversations with practitioners and vendors made clear most Tech organizations are still stumbling over basic definitions of security and risk terminology and awareness of how those processes should work.
This is especially true when communicating across Security, Development, Operations, and Risk Management functions and creates much confusion for stakeholders in ‘the business’ and product management. Additionally, the conventional approach and effort allocation to ‘scale Security’ appears is still being spent on growing capabilities and reach of the traditional Security organization.
The most useful and still-emerging practice that came up several times in practitioner conversations are for Infosec and Risk teams to work with platform, delivery, and application development teams to define security and risk management practices such that they can be:
- easily understood, starting with terminology and high-level processes
- adopted and executed by non-Security experts with self-service education and tools with authority delegated to the platform and delivery teams
- observed, managed, and improved over time by Security and Risk teams
That is, build a scalable approach to Security culture, knowledge, processes, and tools.
This addresses the problem of scaling security teams directly and also enables a coherent risk management across the organization.
We have the
DevSecOps hashtag for these practices and indeed there was a DevSecOps Days at RSAC 2020. However, there are still a lot of open questions people have about how to do this, especially coming from the traditional Security domain.
Think about how many times you have explained or listened to how a Delivery pipeline works over the past ten years. We have a similar, though hopefully, shorter path to travel for security and risk.
What to do
I think experienced DevOps practitioners are some of the most-qualified allies to make material improvements in Information Security. We’ve done so much of this transformation work before and there is plenty to leverage.
So if you’re interested in improving the safety of your customers’ and organization’s data, maybe schedule lunch with a Security (or DevOps) colleague to discuss:
- the challenges your organization has around scaling security
- what you organization is trying to do about it
- how your DevOps practices addressed similar challenges
- what practices might cross over
Big changes can start from simple, humble conversations.