DevOps Chat: DevSecOps and RSAC 2019 with Shannon Lietz

RSA Conference (RSAC) 2019 is just a month away. Once again, it promises to be the place where the world gathers around security. With upwards of 50,000 people attending, it is big by anyone’s standard.

DevSecOps will be center stage this year, literally. Shannon Lietz, founder of, will be keynoting as well as leading a weeklong track on DevSecOps. Shannon is our guest in this DevOps Chat.

Part 2 of this chat where we are joined by Rugged DevOps founder, James Wickett will follow this chat next.

If you haven’t already registered, here’s a code for $100 off a full conference pass (all sessions): 1U9DEVOPSFD. In addition, here’s a code for a free expo pass: 1U9DEVOPSXP.

In addition to the DevSecOps track, the 5th annual DevOps Connect: DevSecOps Days will be held Monday, March 4, at Moscone, as part of RSAC.

As usual, the streaming audio is immediately below, followed by the transcript of our conversation.


Alan Shimel: Hey, everyone, it’s Alan Shimel,, Security Boulevard, and we’re talking DevOps Chat. We’ve got a DevSecOps-flavored chat for you today. Speaking of DevSecOps, we’re with the godmother, the queen of DevSecOps, if you will, [Laughter] Shannon Lietz.

Shannon Lietz: [Laughter]

Shimel: Shannon, welcome!

Lietz: Hi, there.

Shimel: How are you?

Lietz: Hi, there. Thanks for having me here today.

Shimel: Oh, it’s my pleasure as always, Shannon. You know, and I say it tongue-in-cheek, but just to give, maybe some folks in our audience are not familiar with you and your background. You actually sort of founded

Lietz: I definitely founded, yes, along with a core bunch of people, yes.

Shimel: Yep, and that was—I’m gonna guess that had to be about four years ago now, five years ago?

Lietz: About—well, there’s definitely been iterations. The website went up around 2012.

Shimel: Okay, so, going on sixth onto the seventh year.

Lietz: Yeah.

Shimel: Boy, time flies when you’re having fun. But, Shannon, that’s of course not all you do. You also run a team at Intuit.

Lietz: Yep.

Shimel: And what was interesting, I remember the first time I listened to you at a conference is, your DevSecOps team, it was a team of developers, if you will.

Lietz: Yeah, I’ve got a team of developers that also do security and ops.

Shimel: Yep, which, at the time was kinda radical, right?

Lietz: Yes, I love radical work.

Shimel: And maybe still a little radical.

Lietz: I think so. I think I’m still pretty radical. I don’t think I’ve outgrown radical.

Shimel: I hope you don’t ever, Shannon.

Lietz: I like being radical. It’s kinda fun.

Shimel: Yeah, one day you wake up and you’re old, so don’t outgrow radical.

Lietz: [Laughter] Oh, no, no—I’m old, I’m just fighting it every step of the way.

Shimel: We all try. We all try, man. Anyway, but I wanted to talk to you a little bit about, you know, we’re coming into RSA season. We’re like one month, a little over a month away from RSA, which is always a big day.

Lietz: Yep. I’m psyched about it, as usual.

Shimel: Mm-hmm. Yeah, so am I. So are we, here. You know, for the fifth year, we’re gonna be putting on DevOps Connect: DevSecOps Days on the Monday of RSA week. Mark Miller, you know, works with me and he’s put together—Mark kinda picks the speakers. So, he’s helped with speaker selection. We have what I think is our best, strongest lineup of speakers yet. I think you’re involved as a mentor?

Lietz: I don’t know if I am, but I know—I think I’m on a panel this year.

Shimel: Yes! That’s right, you are on one of the panels this year. We have a real expert panel with some really great brain power up there, so that should be a good one. We also have some great mentors and introducing some new speakers to the community, and that is the Monday of RSA week, so I believe that’s March 4th, exactly a month from when we’re recording this, and anyone listening, by all means, check us out. If you have any kind of RSA badge, you can get in to Moscone Center to watch it. It starts at 9, runs ‘til 4.

If you need a free Expo Pass, which will get you into this, you can get one on—I think on, or, as well as on our page, so highly, highly recommend it.

But Shannon, Monday isn’t your total involvement in RSA and DevSecOps and RSA Week. Let’s talk about what else you have on the docket for that week.

Lietz: Yeah, there’s a ton of stuff on the docket that week. We have a DevSecOps track, and in the track, we have some amazing speakers. Everybody is practitioner-based, and we have a select number of them that are really enticing and intriguing, at all varieties of levels. So, we have stuff for beginners all the way through our advanced folks that are looking for a few more pointers in the direction of things like precision and metrics and what do you do with things like DevSecOps around culture.

Shimel: Excellent. Can you share some of the speakers’ names?

Lietz: You know, I am—[Laughter] I don’t have those right with me at the moment, but I’d be happy to, once I crack open my laptop, provide them to you. I know—

Shimel: Well, you know what, I’ll—

Lietz: – actually, I do know a few. I actually do know a few, that’s right.

Shimel: Go ahead.

Lietz: I know that Julie Tsai is gonna be talking about containers and APIs.

Shimel: Great.

Lietz: I also know that James Wickett is gonna be presenting as a side-by-side with me.

Shimel: Great.

Lietz: And then I also know that we are fortunate that we actually got John Willis to sign up as well.

Shimel: Very cool.

Lietz: And we’re looking forward to some of the folks that are gonna expand our knowledge around what to do, specifically, with things like Kubernetes. And so, there’s a really nice, wide range of folks that are gonna be presenting.

We’ve also got a lot more women in the track this year.

Shimel: That’s nice.

Lietz: So, we really put ourselves to the task of trying to increase the number of women that will be talking this year. And I’ve seen some of those presentations already, and I think it’s gonna be really amazing.

Shimel: Yeah. I mean, so, diversity is something that, frankly, the folks at RSA got a bit of a bad rep last year, I think. And I’ve worked with the RSA Conference people for 20 years. They try really hard, Shannon, to promote diverse—

Lietz: Oh, there are amazing—there’s a lot of amazing women behind the RSA Conference that I don’t think people really know.

Shimel: Exactly. I don’t think people realize that it’s actually run by women, but in any event …

Lietz: It’s primarily run by women, actually. There’s a ton of diversity behind the scenes with the program committees and the program itself.

Shimel: I know.

Lietz: I will tell you, I’ve never seen so many women that run a security conference before, so I’m proud to be part of that sisterhood. And I understand what happened last year. I think that there’s a lot changing in the industry. Specifically, I think one of the things that we’re really trying to impart now is that vendors need to be looking for women in the industry that they can partner with to be able to have more representation, and not just focus on the key male talent in those companies.

Shimel: Agreed.

Lietz: So, this year, you can tell there’s a lot more partnership in how we’re thinking about it.

Shimel: You can see it. You can see it in the lineup, frankly, of keynotes and everything else. But I think, you know—look, it shone a light on the issue and they’ve responded. But suffice to say—look, this wasn’t a problem of their choosing or doing. The effort’s always been there. It hasn’t always been there from the entire security industry, I mean, the entire tech industry, but that’s changing, too.

But I don’t want to make this about that, Shannon.

Lietz: Yeah.

Shimel: I think, suffice to say, we’re doing a good job this year, come check it out and see for yourself.

For people, Shannon, who are listening and maybe they can head over to the RSA Conference website, it’s an entire track within the RSA content, correct?

Lietz: Yes, it is. It’s a full track. We have “DevSecOps and Applications Security,” and you’ll find that there’s a good mixture of both of those topics.

Shimel: Fantastic. So, and it’s not just one day, it’s throughout the week.

Lietz: It is throughout the week, and it’s actually the same as every other track. So, we have about 14 speakers.

Shimel: Fantastic. Good stuff. Shannon, let’s talk a little bit, if you don’t mind, let’s talk about the DevSecOps Days. We have a little stage squeaky door there, I thought it was a ghost.

Lietz: [Laughter]

Shimel: Shannon, [Laughter] DevSecOps Days and that whole movement is something you’ve helped foster from and working with some of the folks you and I work with. Any exciting news or developments you want to share on that?

Lietz: Yeah. We’re in the middle of finishing up a rebrand of the website, and we are also working on a book, and so—

Shimel: “The DevSecOps Handbook.”

Lietz: – the book is—yeah, we’re working on that. It’s gonna be probably about a year out, but I’m super excited because it’s been a lot of work, pretty hard and difficult to put together. So, that means there’s a lot of great thinking in it, and we’re still working with different folks on use cases, and I think that the knowledge that’s gonna be pulled together is, you know, just—it’s a language of love from the industry.

Shimel: Yes, it is. I’ve spoken to several folks besides you who are working on it, and it sounds like exciting stuff.

Shannon, you know, one of the big things—and you and I, right, we’ve both been trying to preach that DevSecOps to our security peeps now for a number of years via RSA and other conferences. There’s still a group of security people out there, you know, and a lot of them are, the attitudes just annoy the heck out of me, frankly. But it’s this holier-than-thou, that, “Oh, it’s all b.s., right? DevOps is just about giving developers carte blanche, and they don’t care about security, and only security people are about security, and DevSecOps isn’t a thing, if you will.”

What do we gotta do, Shannon? I mean, we keep working. You do—you work hard at it, I work hard at it, a lot of our friends work hard at it. But what do we need to do to convince these doubting Thomases?

Lietz: Well, I think on the development side, what I would say is, don’t avoid security conferences. Start showing up. You know, the security folks can only do better by understanding the diverse perspectives of everyone involved. So, I know that it would be great to see more folks that I work with participate in RSA and other security conferences.

You know, there’s an opportunity from the security side to reach across to the people with you and not make it about, you know, SQL injection or cross-site scripting, but more about—how do we impart the knowledge and the wisdom to be able to make better security decisions sooner in the process, line up the tools and the capabilities (there’s still way too many false positives coming out of tools) and really approach the problem from a different perspective. So, I know that that’s really kind of key on my mind.

You know, also, just bringing more of the precision element to bear. I think having better metrics in this space can also help to really push us forward so that folks start to understand the mathematics behind the decisions that they’re actually making.

Shimel: Absolutely. So, you know, it sounds like a job for education as well as tools.

Lietz: Oh, absolutely.

Shimel: What about the culture, though?

Lietz: Well, the culture, you know, it’s interesting, because what I find is that if you have the right tooling and you have the right metrics and you have the right understanding, the culture comes along. Culture tends to be about change management, and really, whether or not somebody’s doing the right thing when it comes to providing value that they’re performing every day.

So, you know, you might have a more difficult time trying to convince somebody to do security if it’s not part of their day-to-day work. And so, I think that’s really another element of it.

Shimel: Absolutely. And it’s something—you know, so I think one of the not mistakes but, you know, a time waste that we’ve gone through in DevSecOps is, we tend to focus on one or another of these elements, almost at the expense of another, without really recognizing and realizing that one helps the other, right? So, when you have better tools, you have better metrics. When you have better metrics, you have more affinity for each other’s jobs, right? You have more empathy.

Lietz: Mm-hmm.

Shimel: And when you have more empathy, you have better culture, for the most part, right? It’s like—you know, it’s the circle of life here, right? They all kinda help each other, right? You have better culture, we understand what you’re gonna need in the way of metrics, and if I understand what you’re gonna need in the way of metrics, I can design better tools, right?

Lietz: Right.

Shimel: It’s a circle. And, you know, sometimes I just feel like we get stuck in each individual silo, if you will, without recognizing the interdependency of it all.

Lietz: Well, I think there’s a lot of focus right now on speed. So, I don’t know if I feel the same way that we’re getting focused on one versus the other. I’ve heard a lot of different focus across the industry. So, we’re pressing on all of them, it’s just—everybody has different challenges depending on where they are, so there’s no one-size-fits-all.

And I think, to your point, maybe just the folks that you’re surrounding yourself with could be focused on tools. I’ve actually seen a lot of different variation myself. I’ve probably gone out and just sought it myself. And what I’ve found is that there is a lot of folks that are having different problems at different companies, and the variation is—it doesn’t mean that it’s not working, it just means that everybody is going through some portion of it.

You might have, you know, at some companies, have folks with bigger skill sets; other companies may have really great team strategies. You know, everybody’s got something and there’s always a different perspective and different way to actually go about something.

So, from my perspective, I’m not seeing radical focus; I’m seeing variation that suggest that when companies are embracing this strategy of DevSecOps that they’re either coming at it from a Dev perspective, a security perspective, some of it’s being driven by the cloud adoption and some of those things.

Shimel: Yeah. Yeah, I don’t disagree with that. I don’t disagree. I think it’s not that everyone is tools-focused or everyone is metrics-focused or everyone is culture—I think there’s a variety. But what I don’t see is how people recognize the interdependency of these. How this is really all—it’s just what, holistically, it’s one thing that we’re trying to do. And it is as developer-focused as it is security-focused as it is Ops-focused. It’s not one’s superior or leading the way to the other two or—

Lietz: Yeah, I agree with you.

Shimel: You know, and I think that is something to get on, here. Hey, it sounds like we have a surprise guest joining us to wrap up things, here. Could that be James Wickett?

James Wickett: This is him.

Shimel: James, you’ve got Shannon Lietz on with Alan.

Wickett: Hey! How are you guys doing?

Shimel: Good.

Lietz: Good, thanks.

Shimel: So, James, we were just wrapping up a podcast with Shannon, but being that you’re both on, this is a great segue where I can wrap up Shannon’s and introduce yours, but maybe we can get a little of the both of you. Shannon, do you have to run, or do you have a couple minutes?

Lietz: I got a couple minutes.

Shimel: Alright, let’s do this. So, you know, surprise here in Mr. Alan’s Neighborhood, we’ve got James Wickett just popping in to join us, and of course, James is the founder of the Rugged DevOps movement, an important person in the DevSecOps and DevSecOps space community, as well as one of the principal folks over at Signal Sciences. James, welcome!

Hey, everyone. We’re gonna end part one of this conversation right now. This is Alan Shimel for and Security Boulevard. Check out the rest of our conversation with Shannon and James Wickett in part two in the next DevOps Chat episode. Until then, this is Alan Shimel—have a great day.

Alan Shimel

Avatar photo

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded and then the DevOps Institute. is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 80 posts and counting.See all posts by alan

One thought on “DevOps Chat: DevSecOps and RSAC 2019 with Shannon Lietz

Comments are closed.

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)