CIO opinion
CIO OPINION
“
TO MINIMISE RISK
AND MAINTAIN
CONTINUOUS
COMPLIANCE
THROUGHOUT
THE HYBRID
NETWORK,
A UNIFIED
APPROACH
IS KEY.
stages, to implementation and ongoing
management, working closely with the CIO
and DevSecOps team.
Defining the CISO’s role in the age
of DevSecOps
As cloud projects and other Digital
Transformation initiatives have gained
momentum, we’ve seen the development
of more DevSecOps (development, security
and operations) teams. The aim of the team
is to integrate security practices within the
DevOps process.
In theory, the way that these teams are
structured should lead to security being
considered throughout the life cycle of the
cloud project. In practice, though, it can turn
security into a simple checkbox exercise that
fails to address the complexities of the cloud.
definition of security, as infosec teams
understand it – security isn’t linear in that
sense. It shouldn’t be seen as a single
step that needs to be taken during the
implementation of a cloud service but,
rather, as something that needs to be
embedded at every stage of the initiative in
order to reduce risk and ensure success.
The genesis of DevSecOps teams shows
that organisations are aware of the need
for security checks. But it also exposes a lack
of understanding about just how pervasive
security needs to be in the cloud era. It falls
on the CISO to communicate this need and,
in turn, to help reshape the role of security
within still nascent DevSecOps teams.
How to improve cloud security and
ensure that the CISO has a voice
The most important thing that the CISO
can do to improve cloud security is to
make sure that they have a voice in these
initiatives and that it’s heard – which is
easier said than done.
First, expand the visibility and insight
to the cloud environment. Public cloud
environments should be considered an
integral part of the attack surface the CISO
needs to secure. This doesn’t mean wrestling
the controls away from IT teams.
API connections and offline models can
give security teams the needed oversight
of cloud services without interfering in
their operation. The abstraction of the
hybrid network topology, security control
mechanisms, assets, vulnerabilities and
threats can help bring the security team to
the new frontier and to deploy their security
expertise in a timely manner.
Second, partner with the cloud operations
teams to extend and adapt the traditional
security management processes around
risk reduction and compliance to the
cloud. In order to become a true partner
to operations, the security team needs to
work at the speed of DevOps and provide
the means to ensure that during design,
development, deployment and operation,
the workload is properly secured and
compliant with the relevant regulations.
Analytics and automation are key buzzwords
that security teams need to remember to be
able to keep up.
Third, get ahead of the curve. There are
more disruptive cloud technologies to
come and some may already be used in
the organisation’s playground. Use the
opportunity to catapult your team to the
forefront of innovation.
If the CISO is able to demonstrate the
importance of such activities, they will
be able to enact real change within their
organisation and gain solid footing for
future cloud and Digital Transformation
projects. It’s high time that organisations
acknowledged the significant role that
security should play in delivering innovation
– but it’s up to the CISO to get them to see
the light. n
The way that DevOps is developing and
rolling out new applications makes sense for
the function. Faced with great pressure to
deliver services quickly, they’re embracing
‘shift left’ methodologies so that they can
find and prevent software flaws earlier in the
process. Doing so prevents them from having
to unpick any potential mistakes that they
may discover further down the line.
This linear way of working makes sense
for a team which is measured on ensuring
stability and fast deployments. But it
doesn’t make sense for the traditional
40
INTELLIGENTCIO
www.intelligentcio.com