Hannah and Alex discuss treating security like a product by focusing on measurable outcomes and controllable inputs rather than compliance checklists. For small organizations, this involves threat modeling, establishing relevant security controls, determining success metrics, defaulting to automation, and iterating based on feedback. For large organizations, specialized security product teams may emerge to help operational teams meet security goals, such as application security validation engineers who help developers understand and manage risk. The goal is aligning security and business objectives through a "team of teams" approach.

1. 1
SpringOne 2021
Treating Security like a Product
Hannah Hunt, Chief of Product, Army Software Factory
Alex Barbato, Solutions Engineer, VMware

2. 2
Reference to products or services of any commercial company does not imply
official endorsement by the Department of Defense or Department of the Army.
Disclaimer

3. 3
Hannah and Alex
Chief of Staff - Kessel Run USAF
Chief Product Officer - Army Software Factory USA
Application developer, turned security enthusiast - VMware Tanzu

4. 4
How we got here, a satire
Alex: “Hey Hannah, we’ve got guidance we need to write up a few compliance documents and go
through a couple hundred count security control checklists before we can push our applications to
production.”
Hannah: “All of them? Doesn’t matter how big or small? Or how complex?”

5. 5
How we got here, the real story
5

6. 6
MySquad got to
production and we
started talking about how
things work well in
cybersecurity generally
(and also not so well)

7. 7
Organizations struggle with prioritizing
cybersecurity and compliance needs

8. 8
A Brief History of the Risk Management Framework in
the U.S.Government
● Built originally within the Department of
Defense
● Adopted by National Institute of Standards
and Technology (NIST) Risk Management
Framework
○ A process that integrates security, privacy, and
cyber supply chain risk management activities
into the system development life cycle.

9. 9
It’s not quite that simple
Before 1992
Formative years
1992 - 2006
DITSCAP
2006 - 2016
DIACAP
2010 - Present
RMF
9

10. 10
The U.S. Government often over rotates
on compliance at the detriment to real
cybersecurity standards

11. 11
Government Cybersecurity Teams often...
have more knowledge in on-premise hardware versus cloud-based
technologies.
rely on documentation generation over coding ability (ISSM over
DevSecOps Engineer).
are not proactively assessing newer technological trends.
not immediately connected to mission delivery owners.

12. 12
It’s not their fault!
12

13. 13
“Many officials fail to perform the necessary risk framing activities that
inform the execution of RMF activities. Two of the most common
reasons appear tend to be 1) risk aversion and 2) an unwillingness to
articulate in writing their risk tolerance– the level and nature of the risk
they are willing to accept.”
Beyond Compliance --- Addressing the Political, Cultural and Technical Addressing the Political, Cultural and
Technical Dimensions of Applying the Risk Management Framework, MITRE
13

14. 14
Cybersecurity and compliance also
struggle in industry
14

15. 15
15
Small organizations
Fighting to survive Belief that
cybersecurity risk is
not insurmountable
or overly large
Lacking expertise

16. 16
16
The facts for small organizations
*Research by Varonis and CSIS
$3.86
million
The average cost of
a data breach -
worldwide ($8.86
million in the US)
28%
Percent of cyber
attacks that target
small businesses
Unfilled
cybersecurity
positions by 2022
1.8
million

17. 17
Enterprise doesn’t fare any better
17

18. 18
18
The facts for enterprise
Increase in the
number of
ransomware attacks
on enterprises
The potential cost of
a mega breach of
above 50 million
records
Unfilled
cybersecurity
positions by 2022
(competing with
small businesses!)
12%
$392
million
*Research by Varonis
1.8
million

19. 19
Employers today are in critical need for more cybersecurity
professionals, but they do not want more compliance officers or
cybersecurity policy planners. What organizations are truly desperate for
are graduates who can design secure systems, create new tools for
defense, and hunt down hidden vulnerabilities in software and
networks.
The Cybersecurity Workforce Gap - CSIS (Center for Strategic & International
Studies)
19

20. 20
What is lacked in cybersecurity
talent and efforts can be insured
for… right?
20

21. 21
In addition to more effective
attacks and larger demands,
cyber insurance rates are
increasing to cover added costs.
For example, emerging data
breach and data privacy
regulation can mean companies
have increased legal liabilities
when ransomware attacks
strike.
5 - 25%
increase in
cost
CPO Magazine

22. 22
So how do we change that?
22

23. 23
By treating security like a product
23

24. 24
How does one treat security as a product?
The answer is a consistent view into the things that matter.

25. 25
It is not trivial to see the entirety of the
iceberg
25

26. 26
Many product teams focus on story velocity, usage, and revenue, but

27. 27
These dashboards
fail to capture
underlying risk to
operations from a
cybersecurity risk
The bad news is
visualizing risk is
not trivial
27

28. 28
- Colin Bryar, Working Backwards: Insights, Stories, and Secrets from Inside Amazon
“Our emphasis is on what we call controllable input metrics,
rather than output metrics. Controllable input metrics (e.g.,
reducing internal costs so you can affordably lower product
prices, adding new items for sale on the website, or reducing
standard delivery time) measure the set of activities that, if done
well, will yield the desired results, or output metrics (such as
monthly revenue and stock price).”

29. 29
Controllable input for security - control insights
Hear us out for a second...

30. 30
Where the Federal government has it wrong...

31. 31
31
There is plenty of good in there as well!
Controls exist! Measured based on
some measure of
risk
Automatable with
effort

32. 32
How might this look at a tactical level?
32

33. 33
Small Organizations

34. 34
34
All hands are on deck
Threat
modeling
A quick and dirty path to follow
Establish
relevant
controls
Determine
path to and
measures for
success
Default to
automation
Take
feedback and
iterate
* RMF folks, look familiar?

35. 35
35
Threat modeling
Security without a threat model
GitHub has dependabot, right?
It’ll keep my dependencies up to
date so we are good. We’ll catch all
the patches.
Security with a threat model
Ok yeah, but our application is
used to host credit card
information.
Our threat model shows that
gaining access to our finance
systems is of high value,
vulnerable, and need be secured
first.
Image credit: Microsoft

36. 36
Establish relevant controls
There are oodles of frameworks and tools that exist to help in this domain.
Our primary goal is to incentivize behavior for cybersecurity personnel and product teams to set
“controllable input” metrics that support your business’ measurable output metrics such as apps in
production, lead time for changes, pentesting successes, etc.
36
Your own special sauce!

37. 37
Determine path to -- and measures for -- success
One anti-pattern we believe to be true is trying to separate security and business concerns...
because they are inextricably linked.
The challenges is how you make that connection!
Roadmaps? OKRs?
Comparable matrices?
Threat maps?
“War games”?
Doesn’t really matter so long as the product and cybersecurity teams are linked together and product
teams aren’t throwing security over the fence as an afterthought. Rather, both teams have a
responsibility to meet business and user outcomes and being held to those measured outcomes by
portfolio owners.
37

38. 38
Default to automation
While “automation” is the term used here, we really mean scalable systems that aren’t reliant on
single individuals or unclear processes. Code is one way to achieve that (and don’t get us wrong we
encourage it!), but simply using project management tools and reminders with clear acceptance
criteria can go miles.
38
From Amazon’s Security blog,
building a Governance, Risk, and
Compliance program is a
symbiotic relationship that
requires coordination across
multiple domains.
These domains cannot be
effectively reigned in without a
reliance on “automation”

39. 39
Take feedback and iterate
39
* Check content definitely helps here.

40. 40
Large Organizations

41. 41
Product teams focused on certain cybersecurity aspects may emerge
- Penetration testers, detection
alerting, security assessments,
malware analysis, threat intelligence,
forensics, red/blue teams
- Any number of specialized and
focused teams may emerge.
- Clearly define the success criteria
and mission for these teams
- Practicing a “team of teams”
approach with cybersecurity,
user-facing application and
infrastructure / platform product
teams

42. 42
How does this manifest for us?

43. 43
The question is less about why, but more about how
- Centralized management of security controls with
decentralized execution using a “teams of teams”
model
- The emergence of Application Security Validation
Engineers (ASVEs)
- Developers are often confused on what security
gates and thresholds they need to maintain
- ASVEs provide a user-focused service for product
teams to understand and manage risk
43

44. 44
100 percent of respondents considered
soft skills to be important when hiring for
a security team, and 21 percent even
went so far as to say that they were
more important than hard skills.
The Cybersecurity Workforce Gap - CSIS
44

45. 45
How these organizations traditionally align
45
“Cybersecurity /
Compliance”
Team
“Platform”
Product Team
Line of business
leadership
Cybersecurity
Leadership

46. 46
How it manifests on a project for us
46
“Cybersecurity /
Compliance”
Product Team
“Platform”
Product Team
“Application Security
Validation Engineer” Product
Team
Cybersecurity
Representation
Leadership

47. 47
Rallying Point

48. 48
Treating security
like a product
garners user buy-in
into a
security-focused
outcomes while
making security
tangible.
Our approach is
leveraging shared
outcomes with tactical
specialists in ASVEs to
help in implementation
and scaling.
Your’s may be different 48

49. 49
Thanks.