Many security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve. Similarly, security groups believe that policy enforcement is their biggest (only?) lever… “If we can just update the policies to be more (consumable/relevant/context aware/etc) and get developers to pay attention, then magic will happen.” But, policy enforcement rarely moves the needle and it creates a tense relationship between development and security that can do more harm than good.
More importantly, policy enforcement takes the place of development teams owning the security problem. The Lean, Agile, and DevOps movements have been successful precisely because they have empowered development teams to take ownership of QA, product management, operations, etc. in recognition of 100+ years of social psychology research proving that approaches with strong elements of intrinsic motivation (taking ownership) are far superior to extrinsic-only (policy enforcement) approaches.
So, how does a CISO or other security leaders break away from independent gating and policy enforcement to adopt this new approach? You have to change the mindset of your own security team as well as client development teams. You have to make the right thing to do be the easy thing to do. You have to get executive sponsorship throughout the organization and get middle management on board. You have to build trust between Dev, Ops, and Sec. And, a host of other things. Where do you start?
This talk is a step-by-step framework that will take you from wherever you are now and get you on the path of DevSecOps cultural transformation. It addresses the mindset shift concerns for all relevant audiences. It addresses the mechanics of getting started and tracking progress. It’s adaptable to any environment regardless of industry, technology, or maturity. Most importantly it’s been proven in a highly diverse environment at Comcast.