Injecting Security into Your DevOps Strategy: The one about strategic planning
Keyaan Williams
Global Risk Governance Executive | Professional Speaker | Funniest Man in Cybersecurity
Last week, some great people joined me to celebrate Veterans Day and share timely wisdom about implementing DevOps securely. The content was presented under the Cyber Strategy Retreat banner, which is gaining recognition for the way we bring business, technology and security executives together to discuss cybersecurity from a strategic perspective.
Injecting security into your DevOps strategy takes a deep dive into the practice of DevOps.
Organizations have embraced DevOps as a solution to develop software more quickly and automate infrastructure changes. Enhanced collaboration between operations staff and developers has significant value for the business; however, DevOps can present some significant risks to an organization if not implemented properly. A sound strategy is required to ensure security is considered and applied early and often throughout the development lifecycle. This is even more important when development is completed in a DevOps environment because embedding security controls at the beginning of the system development lifecycle ensures effective management of operational and cyber security risks for the deployed systems and services that are produced.
Benefits:
- We manage our risk effectively
- We reduce the risk that we're exposed
- We allow everyone to be successful by focusing on business needs and outcomes rather than focusing on whether or not security is a speed bump, a roadblock or a significant distraction in the business process.
Ultimately, the goal of DevOps is to get everyone on the same page instead of working in silos. Operations, development, infrastructure, security and everybody else who is part of the development ecosystem is going to work together in a cohesive group to streamline the development process and roll out applications at a speed that makes sense. Speed that makes sense is an important concern. Delivering solutions at the speed of business will be influenced by the resources, the capability, and the maturity of your organization. The goal is to intentionally inject security into your DevOps strategy to ensure the only way to produce code, applications, and systems is to deploy them in a secure, resilient and trustworthy manner based on the design and configuration of your tools and infrastructure.
Governance
Because we're talking about a cohesive, cross-functional development team, corporate governance, IT governance, and security governance all factor into the equation for a successful DevOps program that has security integrated into the process.
- Everyone must understand the corporate goal.
- Everyone must understand the decision-making authorities and the boundaries for accepting risk, whether we are focused on security risk, operational risk, compliance risk, or reputational risk.
- Everyone must accept and agree with the approach and the standards established to manage the DevOps process.
The process must be framed in a way that satisfies all requirements that you're trying to accomplish, including security requirements, but primarily focused on operational efficiency and the goals of integrating the team to deploy things at the speed of business.
Strategy
Governance and strategy are related concepts. Strategy is a general plan to achieve one or more long-term goals and to do so under conditions of uncertainty. Managing uncertainty is the key to strategy because you never know the conditions or the situation you will face in the future. This is important to consider when you work to align your DevOps strategy to the practices and requirements for managing cybersecurity risk and other risks within your organization.
Strategic Planning
If a sound strategy is your goal, strategic planning provides a structured approach to identify the goal by documenting the steps required to move from where you are today to where you want to be in the future. The work you do when you define your DevOps strategy must focus on developing an understanding of the environment, how it operates, the risk that you're exposed to, the steps that must take place to limits or prevent disruptions, and anything else that can damage your reputation, your regulatory requirements, your contractual obligations, or operations.
Putting it into practice
Good governance and strategic execution can increase the confidence you have that the technology environment supporting development operations will function as intended and produce the results you expected. Keep in mind that the objective of strategic planning is to develop the road map for achieving a future goal or objective. Security should be part of that roadmap.
The process begins with understanding the business context that affects your plan. Your strategy must consider how DevOps will work in your company because you cannot adopt the strategy from another company and expect the same results or the same success. Performing analysis with tools like SWOT or PESTLE ensures that the context and the capabilities of your business or understood before you begin working on the strategy for using DevOps in the business, and to do this securely. The time invested in analysis helps to identify what resources are available, what gaps exist, and what additional steps need to take place so that you can achieve the outcome that you're looking for.
Next, you want to consider setting long term goals and objectives. These should be SMART goals. The pneumonic represents goals that are Specific, Measurable, Attainable, Relevant, and Time-bound. This will help you understand where you're going during the execution of your strategy, and it will help you know when you have arrived at the goal.
The goals developed during the strategic planning process often relate to some problem the organization is already dealing with. The root cause of issues often drives the solution that is described in the strategic planning process. Implementing secure, effective DevOps requires a plan so that you can identify the resources, the goals and the outcomes that need to be produced. Understanding why you are making this transition to your approach allows you to identify the best solutions and resources to address the root cause issue.
Finally, you need to develop good performance metrics. Metrics allow you to track the execution of your strategic initiatives. They help you determine whether you were ahead of schedule, on track, or falling behind. The right metrics serve as a forecasting tool that helps you take corrective action before it's too late. The right metrics also help you communicate the value of the investments you made in the your DevOps initiatives adopted to help the organization achieve business success.
Thank you
Thanks for taking the time to read, to share, and to participate in the discussion! I look forward to your feedback on the next edition in the series, which features insights from Ron Ross who will discuss the value of system security engineering in the process.
This event would not be possible without the support of our sponsors. Thank you to our partners at Cobalt Labs who specialize in penetration testing as a service. Thank you to our partners at Checkmarx who specialize in application security testing and thank you to our friends in NIST who provide a library of valuable security resources and standards in their Computer Security Resource Center.
If you enjoyed this article and want to learn how to apply strategic planning to your security program, the Cyber Executive Masterclass from CLASS-LLC is a great way to take a deep dive into business leadership for cybersecurity. The next cohort starts on 23 January 2020. Learn more at our Eventbrite page: https://cem-20210123.eventbrite.com