Author: Ludovic Nesse
68% of business leaders feel that their cyber security risk is increasing and understand that security is not only an IT problem. During 2021, Cyberattacks against corporate networks has increased by 50% compared to 2020 (Check Point 2022). The COVID-19 pandemic has been connected to a 238% surge in cyberattacks against banks. (Carbon Black, 2020).
In June 2021, the US Department of Justice upgraded ransomware to a national security threat, placing it at the same priority level as terrorism. Every 39 seconds, on average 2,244 times a day, hackers are after your business critical data which is usually way more valuable than shutting down your servers for a day. Data breaches exposed 22 Billion (!) records in 2021 (Risk Based Security, 2021). The financial damage caused by the above is immense as the average cost of a data breach was $4.24 million in 2021 (IBM). However, reputational damage due to data breaches could be a threat to the existence of any organisation.
The typical root causes of these pain points are closely linked to gaps in the Target Operating Model, the usage of legacy systems/technology and a low understanding of risks and security in the organisation. Innovation and digitalisation do create numerous opportunities to increase revenue and gain access to new segments in the market. However, it also creates ‘security’ lag as even the closest collaborators that drive the innovation engine forward are not always aware of the related risks. Talking to CISOs of various financial institutions, we learned that, amongst other, they need a holistic approach with a clear focus on embedding. They must move fast but usually their legacy systems, culture, limited change mindset and organisational setup slow things down. The new models need to be able to absorb changes quickly as they pop-up frequently, either from new regulations, new threats, or simply due to the accelerated speed of change delivery as organization transform into iterative Agile & DevOps development teams.
But how do you start embedding security into a DevOps environment?
Obtain stakeholder buy-in
It all starts with generating buy-in from senior leaders within the organisation, ideally across IT and non-IT to build collaboration and trust. Security is not just a side activity or a specific role; it is a practice and behaviour that should be embedded in every layer of the organisation and department. You need change in organisational culture, new collaborative processes, tools to automate the process and the application of consistent governance. For this, people, process, technology and governance need to be integrated and aligned.
Set the baseline
To be able to define your first actions you need to know where you are today. You can use value stream mapping to visually collaborate and you can perform a self-assessment of your security practices at each phase of your software development lifecycle using models such as BSIMM (Building Security In Maturity Model). You want to find out where security activities are currently happening, where the constraints are and what risks pop up. Furthermore, it is crucial to work together closely with the internal Risk, Audit and Compliance representatives to ensure no potential gaps are left in the grey zone and include them as soon as possible (shift left)!
Understand and Identify Solutions
Next, you should collaborate with all stakeholders of your value stream to design a target state, addressing your security requirements. For this, you need to first understand the threat landscape and perform threat modelling: what are your vulnerabilities, what is the impacts, what is the risk. Then design a Target Operating model that includes new (and existing) functions, security practices, organisational structures, key processes, and mapping technologies and process to core security operations.
Ensure the relevant lines of defence are engaged with the proposed mitigating controls and framework applied. Even though the independence of Internal Audit, Risk Management and Compliance must be respected, including their insights might lead to an organisation & framework which is more in balance.
The Target Operating Model will enable the organisation to implement new tools and processes to enable (self-service) security in a DevOps environment, leading to an increase speed of change delivery in line with iterative Agile & DevOps development teams.
The key behind effectively ‘implementing’ is ensuring a structured change management approach to increase adoption and success. Applying the best practice ADKAR levers to the implementation phase starting with clear communication and awareness around the TOM and why embedding security is crucial and vital to the organisation survival. Create your stakeholder map and identify your change ambassadors by answering questions such as: ‘which of my stakeholder has the power/willingness to make a change? These will be key actors to turn the implementation into a complete success. For all stakeholders impacted ensuring they have the proper training and skills to implement the change and finally further reinforce and sustain the change to increase the likelihood that new security practices will be continued.
Start co-creating security controls based on various security best-practices/standards and most importantly, insights from your stakeholders on how they would pursue the mitigation of any risks within their area.
The practical expertise they have generated throughout the years, together with the theoretical framework, security can generate a robust security framework with both a foothold in the theory but also within the practical world. By co-creating your security controls and standards you ensure these become the responsibility of all. This enables a security shift left as you are moving security practices to the earliest possible point in the software development lifecycle with the goal of shifting from a reactive to a proactive security posture.
Finally to ensure the sustainability of the changes implemented ensure your people are upskilled through a solid training plan along with coaching to embed the new tools, processes and more importantly behaviours.
Monitor and improve
As threats and risks evolve, monitoring and continuously improvement is a key factor in obtaining a secure business. The Target Operating Model, security practices, organisational structures, key processes and technologies need continuous re-evaluation to ensure the organisation is still protected against the threat landscape.
Using modern automation techniques and principles such as “”Security as Code” or “Security as a Service” also allows DevOps team within the organisation to continuously monitor their security metrics, enabling them to consistently improve their security.
What now ?
To summarise, the key steps for a successful implementation are:
- Obtain stakeholder buy-in
- Set the baseline
- Understand and identify solutions
- Monitor and improve
Integrating security practices into DevOps is a way for security practitioners to operate and contribute value with less friction. Security practices must adapt dynamically to ensure data security and privacy issues are not left behind in the fast-paced world of DevOps. Security is made continuously adaptive and auditable by breaking security silos.
At ::projective we have been helping Banks, Financial Institutions and Payment Market Infrastructure in starting their DevSecOps journey and achieving the benefits of DevOps. If you would like to chat about a challenge, raise a question about our article or know more about how we can support than please drop us a line at DevOps@Projectivegroup.com.