Accountability Through Reporting: The Path to True DevSecOps

Visibility within an application security (AppSec) program is key to accountability. CISOs and executive leaders can’t expect to hold developers and product lines responsible for security when these professionals don’t have the comprehensive insight needed to properly assess risk and security gaps.

The notion of who is ultimately responsible for security is problematic when these decisions are not made early and well. Although a DevSecOps model implies a shared AppSec responsibility model across Security and DevOps teams, it is not always effective. Sometimes when “everyone” is accountable, no one is accountable—and security falls through the cracks. Without accountability and visibility into AppSec risk, there is no real way for developers, engineers or a specifically assigned security champion to ensure it happens.

An Impossible Job

CISOs and their teams are ultimately responsible for managing enterprise security and risk—but it becomes an impossible task without the right level of AppSec visibility. When CISOS can’t find a way to properly assess risk and ensure security happens, bigger problems emerge.

While they may not sweat the small stuff, the board and executive teams expect corporate CISOs to understand application risk across all areas of the business. To achieve this, CISOs and security teams need the ability to identify which applications across the entire portfolio are at risk—and why. The security visibility that comes from advanced analytics and reporting makes this possible and drives accountability within all levels of the organization. Once CISOs find this degree of insight, they are equipped to manage and communicate risk, essentially spreading security ownership outward within a business context.

An Aerial View of Security

Advanced DevSecOps analytics and reporting provide an aerial view of AppSec across an enterprise, including disparate business lines. As part of a strong cyber risk management program, this data helps CISOs understand risk through hard data, not estimation. And this level of visibility allows teams to communicate more collectively around decisions of vulnerability management.

Security insight provides answers to critical questions like:

• When did security scans occur?
• What vulnerabilities were identified?
• Was remediation properly addressed?
• Why did this specific security breach happen?
• What security policies have resulted from this incident?

Accountability removes questions and makes action easier to take. A CISO’s ability to communicate in this way enables the prioritization and management of corporate risk and demonstrates a continuous improvement model. Additionally, through the visibility of better reporting, CISOs have the power to ensure organizational needs around compliance and governance requirements are met and understood by all.

The insight provided through advanced analytics gives CISOs a way to build the path to true DevSecOps, where security and development are fused into one common vision of risk avoidance. Money and time are not wasted. Both security and development teams can use these analytics to drive a more federated approach to security, with less friction and better workflows—the way DevSecOps is meant to be.