DevSecOps: Beyond Manual Policy Implementation

How DevSecOps can help organization streamline and advance their processes beyond manual or hybrid solutions

When someone asks you if your company prioritizes security, most of us do a quick mental checklist:

  • Policies
  • Procedures & processes
  • Security systems

And answer, “Yes.”

But, just having these items does not make a company secure, nor guarantee that these security measures are being carried out.

Do you have?In reality, you have ….Stats
Security policiesStack of paper88% of employees have no clue about their organization’s IT security policies – Source: Tech Republic
Procedures & processesPeople working from memory of what they call recall84% blame their most recent security breach on human error

 

Security systemsA false sense of security.14,717,618,286 Data records lost or stolen since 2013

 

You should all be familiar with the Security Pyramid:DevSecOps security pyramid

In a big organization, that is a LOT of documents!

We expect people to recall the security procedure when they are fighting fires and in a panic. This is when the procedure document gets added to the fire instead.

Face it—manual policy implementation is an impossible, never-ending task that is:

  • Time-consuming and repetitive.
  • Dependent on knowledgeable staff … who then leave.
  • Open to human errors.
  • Inefficient and costly, because you need to have an entire auditing team to check that it is happening.
  • Dependent on training and practice—nobody gets good at something by reading the instructions.
  • Just plain frustrating.

 Manual Policy Implementation Cycle

DevSecOps manual policy implementationIn reality, if it is not effective, people are simply just going to bypass it.

So how do you move beyond manual policy implementation?

Security DevOps, or DevSecOps

DevSecOps allows you to automate items so you can break free from manual policy implementation. There are various levels of automation. Let’s take a scenario in which “James”  has resigned and there is a set of associated policies and procedures around staff leaving.

Level 1: Triggers—When a staff member leaves, everyone with an associated task is notified. They then have to carry out their tasks manually, but there is a defined checklist for each period (before, during and after leaving) so no one has to guess what is required of them.

Level 2: Optimize—The manual tasks get optimized. For example, instead of having to remove “James” from 10 systems, we have one central system that disconnects him from all systems.

Level 3: Hybrid—There are some optimized tasks and some automated items.

Level 4: Full automation—The ultimate one-click solution—one click to disable “James” and SecDevOps takes care of the rest and even provides a validation report at the end.

This may seem like a daunting task, but start somewhere and tackle your biggest pain points first! Then by adding a new feature each month, you’ll quickly be on the path to full automation and happier staff.

Let’s make security policies and processes faster and more efficient, rather than a hurdle people are struggling to get around!

Featured eBook
7 Reasons Why CISOs Should Care About DevSecOps

7 Reasons Why CISOs Should Care About DevSecOps

DevOps is no longer an experimental phenomenon or bleeding edge way of delivering software. It’s now accepted as a gold standard for delivering software. It’s time for CISOs to stop fearing DevOps and start recognizing that by embedding security into the process they’re setting themselves up for huge potential upsides. Download this eBook to learn ... Read More
Security Boulevard

Linda Misauer

Linda Misauer is the Head of Global Solutions at Striata and is responsible for technical Research and Development, Operations and Project Management for global initiatives. Linda previously led the Product Management of the Striata Application Platform before moving across to Striata North America as Chief Technical Officer (CTO). As Product Manager, her responsibilities included internal project management of the product development team, market research & product feature design, as well as product lifecycle management and quality control. As CTO, Linda was responsible for all technical operations for North, Central and South America, including Project Management, Support, Production and Data Engineering. Linda has over 10 years of experience in the IT industry, ranging from video streaming solutions and website application development to electronic billing and messaging. Prior to joining Striata in 2002, Linda held the positions of Chief Information Officer at AfriCam, and was IT project manager at Dimension Data. Linda studied at the University of Natal - Pietermaritzburg and holds a degree in BSc, Majoring in Computer Science and Economics. Linda also has a Diploma in Project Management.

linda-misauer has 1 posts and counting.See all posts by linda-misauer