How do you promote security as a fundamental aspect of DevOps in your organization?

We're just starting to talk to customers and reach out. The customers have all these questions for us, "Hey, what data of ours do you have? Where are you tracking it? Where are you putting it? How are you restricting who has access to it? Are you doing your annual pen test, and your monthly or weekly, or whatever scans to make sure you don't have any vulnerabilities?" The thing is, if you don't have somebody who comes in and tells you that it's important to [have good security practices], then you're going to do the bare minimum. If you have to answer no on some of these questions, it makes it really obvious that having good security hygiene is actually a sales driver. Not only does it make good sense because you're being a good steward of your customer's data, but it's also going to help you make the money through sales, because your customers are going to trust that you're at least doing the obvious things to get yourself in shape to protect their data.

17 views
5 comments
1 upvotes
Related Tags
Anonymous Author
We're just starting to talk to customers and reach out. The customers have all these questions for us, "Hey, what data of ours do you have? Where are you tracking it? Where are you putting it? How are you restricting who has access to it? Are you doing your annual pen test, and your monthly or weekly, or whatever scans to make sure you don't have any vulnerabilities?" The thing is, if you don't have somebody who comes in and tells you that it's important to [have good security practices], then you're going to do the bare minimum. If you have to answer no on some of these questions, it makes it really obvious that having good security hygiene is actually a sales driver. Not only does it make good sense because you're being a good steward of your customer's data, but it's also going to help you make the money through sales, because your customers are going to trust that you're at least doing the obvious things to get yourself in shape to protect their data.
0 upvotes
Anonymous Author
You need a multi-pronged approach, especially if the culture is used to the old ways where it was kind of like a handoff to some security organization: they certified it, and blessed it, and it got deployed somewhere, or delivered somewhere. Obviously things have changed. Of course with culture, leadership has to support it. They've got to walk the walk and talk the talk about the importance of security, and really put the culture in the position of, "You're part of the solution, and here's why. Here's what it impacts if you're not." That seems to resonate with people. The more you demonstrate that approach and that posture as a leader, the more buy-in you get over time. The other piece of it is that traditionally security has been more of like a handoff organization: the silo within the organization itself. It really has to be integrated. This could be having more people and more roles to support it within each component of the organization, but there's also another way to think about it: security engineers, architects, etc., are more like consultants to every team. So you might start that way, and see how it grows with communities of practice, or communities of interest within the organization. How can those people that are creating that movement around security and DevSecOps, based on a leader's vision of where the security posture needs to be, get others to join in with them and start the practice? They need to determine learnings, best practices, and what can be created, and share that with the rest of the people in the organization. Over time, it starts to get people more engaged, and they have more resources, and more people singing the same tune. It takes time, especially in the legacy culture and legacy programs, to get that thing going. But that's where we've seen some success with getting people on board with you.
1 upvotes
Anonymous Author
One of the advancements that has helped DevSecOps is this new role of product security officer. A business security officer. They're taking security out of IT, and companies are defining specific roles. IT is still important and there is a CSO, or an IT security officer, but you have this product security officer who's there to say, "Hey, make sure our product is secure, make sure our product meets the customer's specification requirements." However much you pay a product security officer, is probably going to be less than companies have invested in all the tools that don't get used. That product security officer connects more to the customer, but they also define the requirements around security and enforce that ongoing testing and evaluation. At least from a product perspective.
0 upvotes
Anonymous Author
One of the key tenets of DevOps to me is empathy. If we, as security people, don’t embrace that aspect, then we will forever be seen as the “team of no”, and people won’t want to work with us.  Being the people who come in with the restrictions and the rules without understanding the reasons for the previous architecture decisions won’t win us any friends or allies.
0 upvotes
Anonymous Author
We have the borderline of compliance issues we stick to when set up controls.  The security is also monitoring issues so it is easier to work with standards.
0 upvotes