Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Ask The Experts

7/1/2019
09:00 AM
Yaron Levi
Yaron Levi
Ask the Experts
50%
50%

How Do I Get Management to Buy into a SecDevOps Program?

More than anything, DevSecOps is a cultural change for many organizations.

Question: I am the security person in a company that writes a lot of its own applications. I am thinking we need to implement a DevSecOps program, but I’m not sure how to get started or how to present it to my upper management. Can you give me some advice?

Yaron Levi, CISO at Blue Cross Blue Shield of Kansas City: Start with the end in mind. When you consider the organization’s business, risk, culture, and capabilities, what do you believe a successful DevSecOps practice should look like? Try to think about the ideal situation, the good enough situation, and the minimum bar situation, then chart a path of how to get to each stage. Think about what you will need, including people, process and technology, as well as pros and cons for each stage.

For example, an ideal situation may be that every developer is fully proficient with secure development practices, threat modeling, risk assessments, etc. A good enough situation may be where you have at least one security champion (or advocate) on each team, and the minimum bar situation is where you have a centralized application security team that supports the entire organization.

This will allow you to present options to executive leadership so they can choose what makes the best business sense for them. Make sure to explain why this is needed in terms of business risks and benefits.

From a knowledge perspective, The Open Web Application Security Project (OWASP) has a lot of great information and resources to help you on your journey. Remember that, more than anything, DevSecOps is a cultural change for many organizations — hence your biggest investment will need to be in people.

What do you advise? Let us know in the Comments section, below.

Yaron Levi is an innovative security executive who has more than 20 years of experience in cybersecurity and information technology. He specializes in creating and managing security strategies; building and maturing security practices, cyber defense teams, and DevSecOps ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/9/2019 | 12:09:13 PM
Interesting adoption question, suggestions indicated below:
"but I'm not sure how to get started or how to present it to my upper management. Can you give me some advice?"
  1. Assess where the  Dev-Teams and Sec-Teams are (Does the Developer have security experience and expertise and vice versa)
  2. Provide training to both groups (address their weaknesses)
  3. Bring in a professional to provide guidance to that particular group who is lacking in certain areas (online training and in-person, people learn differently).
  4. Put the groups in scenarios to determine where they are in their development process
    • Have the Dev-Team engage in a quarterly or semi-annually security simulation where the managers capture stats on how the team performs
    • Bring the Sec-Team and have them address a programming problem, individually and as a group
  5. Put together information from the Mitre Att&ck info (security), CMMI (programming guide) along with OWASP
  6. Provide incentives on achieving their goals (monetary and leadership roles)
  7. Create a data-sharing model where both groups work together to cross-pollinate learning objectives, create a mentor program for both groups
  8. Meet every week to determine their progress and testing process
  9. Document this process where this is considered a framework for future HR projects (start, problems, mitigation procedures, lessons learned and development strategies)

Todd
ABOUT THE EDGE

Dark Reading's new section for features, threat data and in-depth perspectives
More about The Edge

 
 
Contest: Name That Toon
Flash Poll