There comes a time in every good security leader’s career where just saying “no” to DevOps won’t work (although we always reserve the right to do so). Instead, we must come up with a solution to the problem at hand. The time is here and now to embrace DevOps.
Join Tim Virtue, Chief Information Security Officer for Texas NICUSA, as he explores the “marriage” of DevOps and Security. He will share the successes and failures from three significant DevOps experiences, with a focus on his most recent encounter with the DevOps/Security union in a heavily regulated Financial Services firm.
Tim will share his story – from the crying, screaming, and paranoia – to the eventual success stories and lessons learned. You will walk away from this presentation with the knowledge, skills, and shortcuts to persuade even the staunchest security naysayer to change their mind and support, rather than derail, your DevOps program.
DevOps: Lead, Follow or Get Out of the Way - A CISO Perspective
1. 1
DevOps:
Lead, Follow, Or Get Out of the Way
A CISO Perspective
Presented by:
Tim Virtue
CISO, Texas.gov
2. The Lawyers Made Me Do It
Any references to specific organizations, people,
products, or services, are purely examples or learning
opportunities and neither criticisms nor
endorsements
The views presented are strictly my own and may or
may not represent any organizations or affiliations I
have (mostly because they have not seen the light
yet )
It’s OK to agree to disagree, but anyone who gets
that worked up over slides needs a vacation
3. ABC Soup & Street Cred
CISSP, CCSK, CISA, CIPP/G, CFE, ITIL V3, CVE, QGVM,
blah blah blah…
Over 15 years experience in Security, Risk
Management and IT
Executive Master of Science in Information Systems
from a top business school
Cyber Security Instructor, Author & Speaker
Not bragging – just showing perspective & credibility
– if DevOps can sell me, you can sell it to the greater
security community and your organization
4. Something to be
ignored
Something Security
should try and stop
Something done in
isolation
A system or tool
implementation
What DevOps Is Not
5. What is DevOps?
Many things to many people
A trendy buzzword, but with a powerful ideology
Not just for “The Unicorn Companies”
For today, lets focus on key concepts such as Agile,
Culture, Quality, Automation & Tools
For a great in depth discussion read “What Is
DevOps?” by the Agile admin:
http://theagileadmin.com/what-is-devops/
6. DevOps: My Initial Thoughts
3 Ring Circus
Like I didn’t
have enough
problems when
they
(Development &
Operations)
worked
independently –
now they want
us to work
together –
Seriously???
Puppets, Chefs,
& Vagrants –
These are now
in the
environment – I
don’t know
what this
means, but your
telling me not
to worry –
Really???
We struggle with a few
security basics already
– and now you want to
do everything faster –
Fantastic!
7. Once I began to
understand the DevOps
shift and that it means
more than a suite of new
tools, I began to feel a little
better
Communication,
Collaboration and
Integration – these sound
like good things that we
can use more of
Everyone is doing it –
How bad could it be?
A Light At The End of The Tunnel – But I Still Think It
Could Be A Train
8. CIA – Confidentiality,
Integrity, Availability
Slower is better
Separation of Duties
Documentation
Security Says No!
Traditional Security 101
13. Faster releases means faster
security fixes
More automation = Less manual
processes (read less human error
& reduced insider threats)
More visibility and involvement
with stakeholders
15. Security not only embraces but leads a Security
driven DevOps Culture
We control our own destiny rather than fight an
inevitable and uphill battle
We manage by risk based approach – but still
achieve our compliance requirements
SecDevOps
16. DevOps Security
Happens a lot faster, if not “real time”
Automation
Less Documentation
“Blurred” segregation of duties
Security needs to say yes with secure, flexible,
solutions that address CIA and not loose focus on
what we are really trying to protect
17. Collaboration
• Work together so the output is
more like SecDevOps
Communication
• Share what you are doing and
why
• Learn to speak the DevOps
language but share Security
perspectives too
Innovation
• Work with to find solutions to
support traditional Security 101
goals while supporting new
methodologies
How Do We
Get There?
18. It is happening one way
or the other – better to
control our own destiny
rather than fight an
uphill battle
Let us all work
collaboratively to get
our needs met
Let us show you how it
can benefit you
How Do We Sell This?
19. Faster releases means
faster security fixes and
less vulnerabilities
More automation = Less
manual processes (read
less human error &
insider threats)
More visibility and
involvement with
stakeholders
CISO Benefits – If DevOps Security Is Done Right
20. Some Other Things To Consider
Security leaders will need to invest time in the
transition so you can help meet existing security
requirements while supporting the mission
Start small and prove this works
Get the CISO onboard, he can be your biggest
advocate
This is a huge shift – it will take time – practice
traditional organizational change management
techniques
Lead by example
21. More & Improved Collaboration
and Communication
More open minds and increased
knowledge
Flexible solutions that address the
intent of CIA while not getting
hung up on “Old School” and we
have always done it that way
methodologies
Become change agents in the
security community (including risk
managers, auditors, compliance
professionals)
What Needs
To Change -
Security
22. More & Improved Collaboration
and Communication
Innovative ways to support
traditional security objectives
while embracing DevOps
Put the “No” in Technology and
start speaking the language of
risk management
Build in security through out the
entire DevOps Lifecycle
What Needs
To Change -
DevOps
24. Focusing on technology and
ignoring organizational culture
Lack of creativity
Lack of executive support
Only select teams/individuals
adopting new methodologies
Loosing sight business goals and
desired outcomes
Cause of
Failure
25. Proper training
Starting small
Alignment with business
Creating a culture of agility
Incremental improvement
Focus on the intent of security
requirements
Risk based approach
Cause of
Success
26. Start today
• You invested the time in this session
– take the next step
Avoid overthinking
• You don’t need to rollout the perfect
solution
Iterative approach
• Crawl, Walk, Run
Be constructively dissatisfied
• Deliver continuous improvement
Lead by example & and build
controls into the process
Call to Action
27. Thank You!
Help me spread the message to others
Build security into your organizational DevOps
culture so that it looks more like SecDevOps
Please check me out on LinkedIn
http://www.linkedin.com/in/timvirtue
Or follow me on Twitter
https://twitter.com/timvirtue
28. Tim Virtue
• Chief Information Security Officer
• Tim.Virtue@egov.comContact Me