Intelligent CIO Africa Issue 35 - Page 40

CIO opinion CIO OPINION “ TO MINIMISE RISK AND MAINTAIN CONTINUOUS COMPLIANCE THROUGHOUT THE HYBRID NETWORK, A UNIFIED APPROACH IS KEY. stages, to implementation and ongoing management, working closely with the CIO and DevSecOps team. Defining the CISO’s role in the age of DevSecOps As cloud projects and other Digital Transformation initiatives have gained momentum, we’ve seen the development of more DevSecOps (development, security and operations) teams. The aim of the team is to integrate security practices within the DevOps process. In theory, the way that these teams are structured should lead to security being considered throughout the life cycle of the cloud project. In practice, though, it can turn security into a simple checkbox exercise that fails to address the complexities of the cloud. definition of security, as infosec teams understand it – security isn’t linear in that sense. It shouldn’t be seen as a single step that needs to be taken during the implementation of a cloud service but, rather, as something that needs to be embedded at every stage of the initiative in order to reduce risk and ensure success. The genesis of DevSecOps teams shows that organisations are aware of the need for security checks. But it also exposes a lack of understanding about just how pervasive security needs to be in the cloud era. It falls on the CISO to communicate this need and, in turn, to help reshape the role of security within still nascent DevSecOps teams. How to improve cloud security and ensure that the CISO has a voice The most important thing that the CISO can do to improve cloud security is to make sure that they have a voice in these initiatives and that it’s heard – which is easier said than done. First, expand the visibility and insight to the cloud environment. Public cloud environments should be considered an integral part of the attack surface the CISO needs to secure. This doesn’t mean wrestling the controls away from IT teams. API connections and offline models can give security teams the needed oversight of cloud services without interfering in their operation. The abstraction of the hybrid network topology, security control mechanisms, assets, vulnerabilities and threats can help bring the security team to the new frontier and to deploy their security expertise in a timely manner. Second, partner with the cloud operations teams to extend and adapt the traditional security management processes around risk reduction and compliance to the cloud. In order to become a true partner to operations, the security team needs to work at the speed of DevOps and provide the means to ensure that during design, development, deployment and operation, the workload is properly secured and compliant with the relevant regulations. Analytics and automation are key buzzwords that security teams need to remember to be able to keep up. Third, get ahead of the curve. There are more disruptive cloud technologies to come and some may already be used in the organisation’s playground. Use the opportunity to catapult your team to the forefront of innovation. If the CISO is able to demonstrate the importance of such activities, they will be able to enact real change within their organisation and gain solid footing for future cloud and Digital Transformation projects. It’s high time that organisations acknowledged the significant role that security should play in delivering innovation – but it’s up to the CISO to get them to see the light. n The way that DevOps is developing and rolling out new applications makes sense for the function. Faced with great pressure to deliver services quickly, they’re embracing ‘shift left’ methodologies so that they can find and prevent software flaws earlier in the process. Doing so prevents them from having to unpick any potential mistakes that they may discover further down the line. This linear way of working makes sense for a team which is measured on ensuring stability and fast deployments. But it doesn’t make sense for the traditional 40 INTELLIGENTCIO