1
DevOps:
Lead, Follow, Or Get Out of the Way
A CISO Perspective
Presented by:
Tim Virtue
CISO, Texas.gov
The Lawyers Made Me Do It
 Any references to specific organizations, people,
products, or services, are purely examples o...
ABC Soup & Street Cred
 CISSP, CCSK, CISA, CIPP/G, CFE, ITIL V3, CVE, QGVM,
blah blah blah…
 Over 15 years experience in...
 Something to be
ignored
 Something Security
should try and stop
 Something done in
isolation
 A system or tool
implem...
What is DevOps?
 Many things to many people
 A trendy buzzword, but with a powerful ideology
 Not just for “The Unicorn...
DevOps: My Initial Thoughts
3 Ring Circus
Like I didn’t
have enough
problems when
they
(Development &
Operations)
worked
i...
 Once I began to
understand the DevOps
shift and that it means
more than a suite of new
tools, I began to feel a little
b...
 CIA – Confidentiality,
Integrity, Availability
 Slower is better
 Separation of Duties
 Documentation
 Security Says...
How Security Sees Itself
How Security Sees Development & Operations
How Development & Operations See Security
Security Says…
NO!!!
How We All Should Be Seen
Dev OpsSec
Faster releases means faster
security fixes
More automation = Less manual
processes (read less human error
& reduced insid...
Time For A Change
 Security not only embraces but leads a Security
driven DevOps Culture
 We control our own destiny rather than fight an
...
DevOps Security
 Happens a lot faster, if not “real time”
 Automation
 Less Documentation
 “Blurred” segregation of du...
 Collaboration
• Work together so the output is
more like SecDevOps
 Communication
• Share what you are doing and
why
• ...
 It is happening one way
or the other – better to
control our own destiny
rather than fight an
uphill battle
 Let us all...
 Faster releases means
faster security fixes and
less vulnerabilities
 More automation = Less
manual processes (read
les...
Some Other Things To Consider
 Security leaders will need to invest time in the
transition so you can help meet existing ...
 More & Improved Collaboration
and Communication
 More open minds and increased
knowledge
 Flexible solutions that addr...
 More & Improved Collaboration
and Communication
 Innovative ways to support
traditional security objectives
while embra...
Where To Start
 Focusing on technology and
ignoring organizational culture
 Lack of creativity
 Lack of executive support
 Only selec...
 Proper training
 Starting small
 Alignment with business
 Creating a culture of agility
 Incremental improvement
 F...
 Start today
• You invested the time in this session
– take the next step
 Avoid overthinking
• You don’t need to rollou...
Thank You!
 Help me spread the message to others
 Build security into your organizational DevOps
culture so that it look...
 Tim Virtue
• Chief Information Security Officer
• Tim.Virtue@egov.comContact Me
DevOps:  Lead, Follow or Get Out of the Way - A CISO Perspective
Upcoming SlideShare
Loading in...5
×

DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective

538

Published on

There comes a time in every good security leader’s career where just saying “no” to DevOps won’t work (although we always reserve the right to do so). Instead, we must come up with a solution to the problem at hand. The time is here and now to embrace DevOps.

Join Tim Virtue, Chief Information Security Officer for Texas NICUSA, as he explores the “marriage” of DevOps and Security. He will share the successes and failures from three significant DevOps experiences, with a focus on his most recent encounter with the DevOps/Security union in a heavily regulated Financial Services firm.

Tim will share his story – from the crying, screaming, and paranoia – to the eventual success stories and lessons learned. You will walk away from this presentation with the knowledge, skills, and shortcuts to persuade even the staunchest security naysayer to change their mind and support, rather than derail, your DevOps program.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
538
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective

  1. 1. 1 DevOps: Lead, Follow, Or Get Out of the Way A CISO Perspective Presented by: Tim Virtue CISO, Texas.gov
  2. 2. The Lawyers Made Me Do It  Any references to specific organizations, people, products, or services, are purely examples or learning opportunities and neither criticisms nor endorsements  The views presented are strictly my own and may or may not represent any organizations or affiliations I have (mostly because they have not seen the light yet )  It’s OK to agree to disagree, but anyone who gets that worked up over slides needs a vacation
  3. 3. ABC Soup & Street Cred  CISSP, CCSK, CISA, CIPP/G, CFE, ITIL V3, CVE, QGVM, blah blah blah…  Over 15 years experience in Security, Risk Management and IT  Executive Master of Science in Information Systems from a top business school  Cyber Security Instructor, Author & Speaker  Not bragging – just showing perspective & credibility – if DevOps can sell me, you can sell it to the greater security community and your organization
  4. 4.  Something to be ignored  Something Security should try and stop  Something done in isolation  A system or tool implementation What DevOps Is Not
  5. 5. What is DevOps?  Many things to many people  A trendy buzzword, but with a powerful ideology  Not just for “The Unicorn Companies”  For today, lets focus on key concepts such as Agile, Culture, Quality, Automation & Tools  For a great in depth discussion read “What Is DevOps?” by the Agile admin: http://theagileadmin.com/what-is-devops/
  6. 6. DevOps: My Initial Thoughts 3 Ring Circus Like I didn’t have enough problems when they (Development & Operations) worked independently – now they want us to work together – Seriously??? Puppets, Chefs, & Vagrants – These are now in the environment – I don’t know what this means, but your telling me not to worry – Really??? We struggle with a few security basics already – and now you want to do everything faster – Fantastic!
  7. 7.  Once I began to understand the DevOps shift and that it means more than a suite of new tools, I began to feel a little better  Communication, Collaboration and Integration – these sound like good things that we can use more of  Everyone is doing it – How bad could it be? A Light At The End of The Tunnel – But I Still Think It Could Be A Train
  8. 8.  CIA – Confidentiality, Integrity, Availability  Slower is better  Separation of Duties  Documentation  Security Says No! Traditional Security 101
  9. 9. How Security Sees Itself
  10. 10. How Security Sees Development & Operations
  11. 11. How Development & Operations See Security Security Says… NO!!!
  12. 12. How We All Should Be Seen Dev OpsSec
  13. 13. Faster releases means faster security fixes More automation = Less manual processes (read less human error & reduced insider threats) More visibility and involvement with stakeholders
  14. 14. Time For A Change
  15. 15.  Security not only embraces but leads a Security driven DevOps Culture  We control our own destiny rather than fight an inevitable and uphill battle  We manage by risk based approach – but still achieve our compliance requirements SecDevOps
  16. 16. DevOps Security  Happens a lot faster, if not “real time”  Automation  Less Documentation  “Blurred” segregation of duties  Security needs to say yes with secure, flexible, solutions that address CIA and not loose focus on what we are really trying to protect
  17. 17.  Collaboration • Work together so the output is more like SecDevOps  Communication • Share what you are doing and why • Learn to speak the DevOps language but share Security perspectives too  Innovation • Work with to find solutions to support traditional Security 101 goals while supporting new methodologies How Do We Get There?
  18. 18.  It is happening one way or the other – better to control our own destiny rather than fight an uphill battle  Let us all work collaboratively to get our needs met  Let us show you how it can benefit you How Do We Sell This?
  19. 19.  Faster releases means faster security fixes and less vulnerabilities  More automation = Less manual processes (read less human error & insider threats)  More visibility and involvement with stakeholders CISO Benefits – If DevOps Security Is Done Right
  20. 20. Some Other Things To Consider  Security leaders will need to invest time in the transition so you can help meet existing security requirements while supporting the mission  Start small and prove this works  Get the CISO onboard, he can be your biggest advocate  This is a huge shift – it will take time – practice traditional organizational change management techniques  Lead by example
  21. 21.  More & Improved Collaboration and Communication  More open minds and increased knowledge  Flexible solutions that address the intent of CIA while not getting hung up on “Old School” and we have always done it that way methodologies  Become change agents in the security community (including risk managers, auditors, compliance professionals) What Needs To Change - Security
  22. 22.  More & Improved Collaboration and Communication  Innovative ways to support traditional security objectives while embracing DevOps  Put the “No” in Technology and start speaking the language of risk management  Build in security through out the entire DevOps Lifecycle What Needs To Change - DevOps
  23. 23. Where To Start
  24. 24.  Focusing on technology and ignoring organizational culture  Lack of creativity  Lack of executive support  Only select teams/individuals adopting new methodologies  Loosing sight business goals and desired outcomes Cause of Failure
  25. 25.  Proper training  Starting small  Alignment with business  Creating a culture of agility  Incremental improvement  Focus on the intent of security requirements  Risk based approach Cause of Success
  26. 26.  Start today • You invested the time in this session – take the next step  Avoid overthinking • You don’t need to rollout the perfect solution  Iterative approach • Crawl, Walk, Run  Be constructively dissatisfied • Deliver continuous improvement  Lead by example & and build controls into the process Call to Action
  27. 27. Thank You!  Help me spread the message to others  Build security into your organizational DevOps culture so that it looks more like SecDevOps Please check me out on LinkedIn http://www.linkedin.com/in/timvirtue Or follow me on Twitter https://twitter.com/timvirtue
  28. 28.  Tim Virtue • Chief Information Security Officer • Tim.Virtue@egov.comContact Me
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×