Three DevSecOps Lessons Drawn from Conversations with 45 CISOs - Security Boulevard

SBN Three DevSecOps Lessons Drawn from Conversations with 45 CISOs

Recently, I moderated round table discussions between dozens of CISOs at Evanta CISO Summits in Chicago and Atlanta. My colleague, Michelle Dufty, moderated a similar event in San Francisco.

The purpose of the sessions was to have an authentic conversation about the emerging practice of DevSecOps and explore the following unconventional idea:

CISOs can reduce risk and significantly improve an organization’s IT security posture by shifting more of their resources to the beginning of the digital supply chain (playing offense) — rather than over-investing resources at the end of the digital supply chain (playing defense).

To help foster dialog, we asked participants to share a perspective on two things:

  1. How can CISOs become better partners to software developers and others who are responsible for driving digital innovation?
  2. How can front line software developers become better partners to CISOs in regards to reducing risk and improving enterprise security?

Our sessions were attended by 45 CISOs, hailing from a variety of public and private industries, such as communications, finance, insurance, manufacturing, retail, transportation and government. The mix gave us insight into how different verticals think about DevSecOps and highlighted how, regardless of industry, “AppSec” is an area that is garnering more attention from CISOs.

By a show of hands, approximately 30% of the CISOs in attendance indicated that they were actively working to “shift left” and find ways to collaborate more effectively with development colleagues responsible for building software at the beginning of the digital supply chain.  Conversely, approximately 70% of the CISOs in attendance indicated that a vast majority of their time and energy remains focused on traditional initiatives designed to secure the enterprise perimeter and defend assets at the end of the digital supply chain.

By themselves, these findings are not surprising. The concept of DevSecOps is still very (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Matt Howard. Read the original post at:

Matt Howard

Matt Howard is CMO and SVP of Sonatype, the inventors of software supply chain automation. He is a proven executive and entrepreneur with over 20 years experience developing high-growth software companies. Prior to Sonatype, Mr. Howard co-founded, developed and successfully sold two software companies.

matt-howard has 13 posts and counting.See all posts by matt-howard