1

DevOps:

Lead, Follow, Or Get Out of the Way

A CISO Perspective

Presented by: Tim Virtue CISO, Texas.gov

The Lawyers Made Me Do It Any references to specific organizations, people,

products, or services, are purely examples or learning opportunities and neither criticisms nor endorsements

The views presented are strictly my own and may or may not represent any organizations or affiliations I have (mostly because they have not seen the light yet )

It’s OK to agree to disagree, but anyone who gets that worked up over slides needs a vacation

ABC Soup & Street Cred CISSP, CCSK, CISA, CIPP/G, CFE, ITIL V3, CVE, QGVM,

blah blah blah… Over 15 years experience in Security, Risk

Management and IT Executive Master of Science in Information Systems

from a top business school Cyber Security Instructor, Author & Speaker Not bragging – just showing perspective & credibility

– if DevOps can sell me, you can sell it to the greater security community and your organization

Something to be ignored

Something Security should try and stop

Something done in isolation

A system or tool implementation

What DevOps Is Not

What is DevOps? Many things to many people A trendy buzzword, but with a powerful ideology Not just for “The Unicorn Companies” For today, lets focus on key concepts such as Agile,

Culture, Quality, Automation & Tools For a great in depth discussion read “What Is

DevOps?” by the Agile admin: http://theagileadmin.com/what-is-devops/

DevOps: My Initial Thoughts

3 Ring CiRCus

Like I didn’t have enough problems when they (Development & Operations) worked independently – now they want us to work together – Seriously???

Puppets, Chefs, & Vagrants – These are now in the environment – I don’t know what this means, but your telling me not to worry – Really???

We struggle with a few security basics already – and now you want to do everything faster – Fantastic!

Once I began to understand the DevOps shift and that it means more than a suite of new tools, I began to feel a little better

Communication, Collaboration and Integration – these sound like good things that we can use more of

Everyone is doing it – How bad could it be?

A Light At The End of The Tunnel – But I Still Think It Could Be A Train

CIA – Confidentiality, Integrity, Availability

Slower is better Separation of Duties Documentation Security Says No!

Traditional Security 101

How Security Sees Itself

How Security Sees Development & Operations

How Development & Operations See Security

Security Says…

NO!!!

How We All Should Be Seen

Dev Ops Sec

Faster releases means faster security fixes

More automation = Less manual processes (read less human error & reduced insider threats)

More visibility and involvement with stakeholders

Time For A Change

Security not only embraces but leads a Security driven DevOps Culture

We control our own destiny rather than fight an inevitable and uphill battle

We manage by risk based approach – but still achieve our compliance requirements

SecDevOps

DevOps Security

Happens a lot faster, if not “real time” Automation Less Documentation “Blurred” segregation of duties Security needs to say yes with secure, flexible,

solutions that address CIA and not loose focus on what we are really trying to protect

Collaboration • Work together so the output is

more like SecDevOps Communication

• Share what you are doing and why

• Learn to speak the DevOps language but share Security perspectives too

Innovation • Work with to find solutions to

support traditional Security 101 goals while supporting new methodologies

How Do We Get There?

It is happening one way or the other – better to control our own destiny rather than fight an uphill battle

Let us all work collaboratively to get our needs met

Let us show you how it can benefit you

How Do We Sell This?

Faster releases means faster security fixes and less vulnerabilities

More automation = Less manual processes (read less human error & insider threats)

More visibility and involvement with stakeholders

CISO Benefits – If DevOps Security Is Done Right

Some Other Things To Consider Security leaders will need to invest time in the

transition so you can help meet existing security requirements while supporting the mission

Start small and prove this works Get the CISO onboard, he can be your biggest

advocate This is a huge shift – it will take time – practice

traditional organizational change management techniques

Lead by example

More & Improved Collaboration and Communication

More open minds and increased knowledge

Flexible solutions that address the intent of CIA while not getting hung up on “Old School” and we have always done it that way methodologies

Become change agents in the security community (including risk managers, auditors, compliance professionals)

What Needs To Change -

Security

More & Improved Collaboration and Communication

Innovative ways to support traditional security objectives while embracing DevOps

Put the “No” in Technology and start speaking the language of risk management

Build in security through out the entire DevOps Lifecycle

What Needs To Change -

DevOps

Where To Start

Focusing on technology and ignoring organizational culture

Lack of creativity Lack of executive support Only select teams/individuals

adopting new methodologies Loosing sight business goals and

desired outcomes

Cause of Failure

Proper training Starting small Alignment with business Creating a culture of agility Incremental improvement Focus on the intent of security

requirements Risk based approach

Cause of Success

Start today • You invested the time in this session

– take the next step Avoid overthinking

• You don’t need to rollout the perfect solution

Iterative approach • Crawl, Walk, Run

Be constructively dissatisfied • Deliver continuous improvement

Lead by example & and build controls into the process

Call to Action

Thank You! Help me spread the message to others Build security into your organizational DevOps

culture so that it looks more like SecDevOps

Please check me out on LinkedIn http://www.linkedin.com/in/timvirtue

Or follow me on Twitter https://twitter.com/timvirtue

Tim Virtue • Chief Information Security Officer • Tim.Virtue@egov.com Contact Me