devops: lead, follow or get out of the way - a ciso perspective
DESCRIPTION
There comes a time in every good security leader’s career where just saying “no” to DevOps won’t work (although we always reserve the right to do so). Instead, we must come up with a solution to the problem at hand. The time is here and now to embrace DevOps. Join Tim Virtue, Chief Information Security Officer for Texas NICUSA, as he explores the “marriage” of DevOps and Security. He will share the successes and failures from three significant DevOps experiences, with a focus on his most recent encounter with the DevOps/Security union in a heavily regulated Financial Services firm. Tim will share his story – from the crying, screaming, and paranoia – to the eventual success stories and lessons learned. You will walk away from this presentation with the knowledge, skills, and shortcuts to persuade even the staunchest security naysayer to change their mind and support, rather than derail, your DevOps program.TRANSCRIPT
1
DevOps:
Lead, Follow, Or Get Out of the Way
A CISO Perspective
Presented by: Tim Virtue CISO, Texas.gov
The Lawyers Made Me Do It Any references to specific organizations, people,
products, or services, are purely examples or learning opportunities and neither criticisms nor endorsements
The views presented are strictly my own and may or may not represent any organizations or affiliations I have (mostly because they have not seen the light yet )
It’s OK to agree to disagree, but anyone who gets that worked up over slides needs a vacation
ABC Soup & Street Cred CISSP, CCSK, CISA, CIPP/G, CFE, ITIL V3, CVE, QGVM,
blah blah blah… Over 15 years experience in Security, Risk
Management and IT Executive Master of Science in Information Systems
from a top business school Cyber Security Instructor, Author & Speaker Not bragging – just showing perspective & credibility
– if DevOps can sell me, you can sell it to the greater security community and your organization
Something to be ignored
Something Security should try and stop
Something done in isolation
A system or tool implementation
What DevOps Is Not
What is DevOps? Many things to many people A trendy buzzword, but with a powerful ideology Not just for “The Unicorn Companies” For today, lets focus on key concepts such as Agile,
Culture, Quality, Automation & Tools For a great in depth discussion read “What Is
DevOps?” by the Agile admin: http://theagileadmin.com/what-is-devops/
DevOps: My Initial Thoughts
3 Ring CiRCus
Like I didn’t have enough problems when they (Development & Operations) worked independently – now they want us to work together – Seriously???
Puppets, Chefs, & Vagrants – These are now in the environment – I don’t know what this means, but your telling me not to worry – Really???
We struggle with a few security basics already – and now you want to do everything faster – Fantastic!
Once I began to understand the DevOps shift and that it means more than a suite of new tools, I began to feel a little better
Communication, Collaboration and Integration – these sound like good things that we can use more of
Everyone is doing it – How bad could it be?
A Light At The End of The Tunnel – But I Still Think It Could Be A Train
CIA – Confidentiality, Integrity, Availability
Slower is better Separation of Duties Documentation Security Says No!
Traditional Security 101
How Security Sees Itself
How Security Sees Development & Operations
How Development & Operations See Security
Security Says…
NO!!!
How We All Should Be Seen
Dev Ops Sec
Faster releases means faster security fixes
More automation = Less manual processes (read less human error & reduced insider threats)
More visibility and involvement with stakeholders
Time For A Change
Security not only embraces but leads a Security driven DevOps Culture
We control our own destiny rather than fight an inevitable and uphill battle
We manage by risk based approach – but still achieve our compliance requirements
SecDevOps
DevOps Security
Happens a lot faster, if not “real time” Automation Less Documentation “Blurred” segregation of duties Security needs to say yes with secure, flexible,
solutions that address CIA and not loose focus on what we are really trying to protect
Collaboration • Work together so the output is
more like SecDevOps Communication
• Share what you are doing and why
• Learn to speak the DevOps language but share Security perspectives too
Innovation • Work with to find solutions to
support traditional Security 101 goals while supporting new methodologies
How Do We Get There?
It is happening one way or the other – better to control our own destiny rather than fight an uphill battle
Let us all work collaboratively to get our needs met
Let us show you how it can benefit you
How Do We Sell This?
Faster releases means faster security fixes and less vulnerabilities
More automation = Less manual processes (read less human error & insider threats)
More visibility and involvement with stakeholders
CISO Benefits – If DevOps Security Is Done Right
Some Other Things To Consider Security leaders will need to invest time in the
transition so you can help meet existing security requirements while supporting the mission
Start small and prove this works Get the CISO onboard, he can be your biggest
advocate This is a huge shift – it will take time – practice
traditional organizational change management techniques
Lead by example
More & Improved Collaboration and Communication
More open minds and increased knowledge
Flexible solutions that address the intent of CIA while not getting hung up on “Old School” and we have always done it that way methodologies
Become change agents in the security community (including risk managers, auditors, compliance professionals)
What Needs To Change -
Security
More & Improved Collaboration and Communication
Innovative ways to support traditional security objectives while embracing DevOps
Put the “No” in Technology and start speaking the language of risk management
Build in security through out the entire DevOps Lifecycle
What Needs To Change -
DevOps
Where To Start
Focusing on technology and ignoring organizational culture
Lack of creativity Lack of executive support Only select teams/individuals
adopting new methodologies Loosing sight business goals and
desired outcomes
Cause of Failure
Proper training Starting small Alignment with business Creating a culture of agility Incremental improvement Focus on the intent of security
requirements Risk based approach
Cause of Success
Start today • You invested the time in this session
– take the next step Avoid overthinking
• You don’t need to rollout the perfect solution
Iterative approach • Crawl, Walk, Run
Be constructively dissatisfied • Deliver continuous improvement
Lead by example & and build controls into the process
Call to Action
Thank You! Help me spread the message to others Build security into your organizational DevOps
culture so that it looks more like SecDevOps
Please check me out on LinkedIn http://www.linkedin.com/in/timvirtue
Or follow me on Twitter https://twitter.com/timvirtue
Tim Virtue • Chief Information Security Officer • [email protected] Contact Me