The document summarizes lessons learned from three companies ("horses") attempting digital transformations. Horse 1 had some quick wins using automation but lacked institutionalization. Horse 2 had a strong team but faced delays and lack of management support. Horse 3 had immense scale and speed but faced communication bottlenecks. The key takeaways are to have full executive support, limit scope, work with experts, automate, and focus on building sustainable habits.

1. SESSION ID:SESSION ID:
#RSAC
Stefan Streichsbier
A Tale of Three Horses
SEM-T01
CTO
Vantage Point Security
@s_streichsbier

2. #RSAC
The Tale of Three Horses
Introduction
The Goal
The Team
The Journey
Takeaways
Conclusion
}For each horse

3. #RSAC
Unicorns and Horses
Unicorn (ˈjuːnɪkɔːn/)
A start-up company valued at more than a billion dollars that does DevOps magic.
Horse (hɔːs/)
Everyday orgs trying to do magic with limited resources and unlimited legacy c!#$.

4. #RSAC
Unicorns
Horses

5. #RSAC
Have you ever wondered how a horse becomes a unicorn?
à ?

6. #RSAC
Change or be left behind
From brick
& mortar
To disruptive
new paradigms
“The future is already here — it's just not very evenly distributed.” William Gibson
88% of 1955 Fortune
500 failed by 2015

7. #RSAC
The 3 Horses - Similarities
The largest horse
Similarities
20,000+ employees
100+ millions in profit
30+ years old
In the midst of a digital transformation
Want to transform securely
The richest horse
The oldest horse

8. #RSAC
The 3 Horses – 3 Goals
Transform the old-school approach to security to fit DevOps.
Move fast Innovate Manage Risk

9. #RSAC
Horse 1 - The Goal
Project Goals
Build cloud infrastructure for 3rd
party application development
Ensure security by doing a
penetration test
Project Challenges
Lack of time to do it “right”
Inconsistencies between instances

10. #RSAC
Horse 1 - The Team
Team Members
Mainly sysadmins
External Security Expert
Team Challenges
Lack of training for the sysadmins

11. #RSAC
Horse 1 - The Journey
Journey Wins
Used Ansible to codify Pentest fixes
Install security updates daily
Perform SSH hardening
Run Nessus once a week
Knowledge sharing workshop
Journey Fails
Isolated Win
Knowledge is not institutionalized

12. #RSAC
Horse 1 - Moral of the Story
Positive changes don’t always have to come from the top!
Collect quick wins and leverage them for bigger projects.

13. #RSAC
Horse 2 - The Goal
Project Goals
Do Agile/DevOps right
Include security from the start
Learn from 3rd party experts
Move the frontend to native
Project Challenges
Competitive pressures
Internal pressures
Complex organizational hierarchy

14. #RSAC
Horse 2 - The Team
Team Members
Internal Delivery Team
External Agile/DevOps Experts
External Security Experts
Team Challenges
No obvious challenges
Good team size
Diverse skillset
Good skill distribution

15. #RSAC
Horse 2 - The Journey
Journey Wins
Tight collaboration between Dev, Sec
and Ops
Continuous knowledge transfer
between all parties
Secure by Design
Security Testing in-cycles
Journey Fails
Delays due to dependency on others
The plug was pulled

16. #RSAC
Horse 2 - Moral of the Story
When Conway meets Murphey, things will go bad.
Even with the best team, and a good goal, if the top level
management support is wavering, you can’t transform.

17. #RSAC
Horse 3 - The Goal
Project Goals
All-in on the digital transformation
Include security from the start
Learn from 3rd party experts
Apply the latest technologies
Full rewrite of an existing app
Project Challenges
Very tight timeline
Enormous scope

18. #RSAC
Horse 3 - The Team
Team Members
Internal Delivery Team
External Agile/DevOps Experts
External Security Experts
Team Challenges
Extremely large team
Most devs unfamiliar with new tech
Too few security experts

19. #RSAC
Horse 3 - The Journey
Journey Wins
Amazing speed and agility
Great collaboration between teams
Regular knowledge sharing sessions
Security considered from the start
Security test automation coverage
Journey Fails
Communication Bottlenecks
Distributing knowledge to team
Delegating security tasks

20. #RSAC
Horse 3 - Moral of the Story
Don’t overcommit!
Err on the side of having too much time, than the other way around.

21. #RSAC
Takeaways - Goals
Full C-Level
support
Top down &
Bottom up
Don’t be too
ambitious
For every successful transformation there are 100s of failed ones.

22. #RSAC
Takeaways - Team
Change of
mindset
Work with
experts
Reduce external
dependencies
You don’t know what you don’t know, leverage experts.

23. #RSAC
Takeaways - Journey
Create a good
environment
Begin with
automation
Embrace
change
The road ahead is full of obstacles, be able to adapt to any challenge!

24. #RSAC
Conclusions
Get full C-Level support / political cover
Limit the scope of the transformation
Don’t waste any time on commodity concerns
Include external domain experts
Focus on building habits that last, or automate away problems

25. #RSAC
Sponsors of DevOps Connect: DevSecOps