Digital-first companies have common characteristics. The company culture and practices are customer-centric, data-driven, agile, operate DevOps, and equally, if not most importantly, enforce a security-first model in development and operations, and automate as many IT services possible to optimize process and workflows across and between domains.
Why is a security-first cultural practice significant and central to digital-first companies? To paraphrase Forrester Research technology predictions report — Security is the new way to gain a competitive edge over the competition. In the age of heightened cybersecurity attacks coupled with an obsession for superior customer experiences, security, governance and compliance, has the greatest potential to garner user trust and win over customers from competitors.
What do security-first organizations look like?
A security-first organization recognizes that being digitally forward also means an increased risk for cyber attacks. Constant connectivity, reliance on complex data sets from multiple systems, and autonomous machines to execute and manage tasks and processes increase the digital footprint targeted by hackers. With that recognition, comes a proactive and responsive strategy to build cyber resilience to mitigate risk, avert attacks, or respond swiftly to a security breach.
Here are some things security-first organizations are doing to build cyber resilience:
Empowering security leaders: enabling security leaders like CISO’s to have a seat at the decision making table, puts security, compliance and governance front-center of all operational aspects of the business. It enables them to enforce the notion that “security is everyone’s responsibility” and make DevSecOps the way of operating.
Involve employees: Enlist employees as guardians of their own data and privacy. Design best security practices for employees to use as guidelines.
Putting security at the center of the customer experience: Often customers bare the brunt of a security breach. When all leaders agree to enforce “Code as Security” into all stages of product development lifecycle, they are ensuring to protect sensitive customer data.
Extending security policies beyond the organization:
To protect procedures and relationships with suppliers, partners, and third parties outside the company, scaling security practices beyond the walls of the company is important to protect vulnerable data and processes that take place outside of the organization.
These are 6 important aspects of DevSecOps that can be practiced to implement a security-first model.
- Code analysis — deliver code in small chunks so vulnerabilities can be identified quickly.
- Change management — increase speed and efficiency by allowing anyone to submit changes, then determine whether the change is good or bad.
- Compliance monitoring — be ready for an audit at any time (which means being in a constant state of compliance, including gathering evidence of GDPR compliance, PCI compliance, etc.).
- Threat investigation — identify potential emerging threats with each code update and be able to respond quickly.
- Vulnerability assessment — identify new vulnerabilities with code analysis, then analyze how quickly they are being responded to and patched.
- Security training — train software and IT engineers with guidelines for set routines.
What cultural shifts are required to become a security-first company?
Becoming security-first is as much a matter of technology as it is a shift in perception about the importance and relevance of security. Traditionally, security is treated as an afterthought that is introduced near the end of the development lifecycle at the deployment stage. A cultural shift on this old attitude towards security is to embrace a key pillar of the DevSecOps Manifesto — Security as Code and “that everyone is responsible for security.”
The opposite is also true. Security leaders also require a change of attitude towards the technologies, tools, and practices that foster agility and fast availability of software releases. And the only way to align seemingly opposing visions is through meaningful collaboration and presence at the decision-making table for Security, Business, IT Dev and IT ops leaders.
“By developing security as code, we will strive to create awesome products and services, provide insights directly to developers, and generally favor iteration over trying to always come up with the best answer before a deployment. We will operate like developers to make security and compliance available to be consumed as services. We will unlock and unblock new paths to help others see their ideas become a reality.”
DevSecOps manifesto
What technologies create opportunities to transform into a security-first digitally-forward organization?
Cloud platforms
Automation tools
Microservices
DevOps technologies (CI/CD pipelines)
Identity management platforms
AI/ML-driven code analysis solutions
Conclusion
The pace of technology innovation continues to eliminate the rationalizations for not designing and implementing a security-first strategy. DevSecOps, a recent innovative evolution of DevOps, is gaining popularity as a viable way to implement tools and technologies that can automate IT and business processes and flows while integrating security policies and protocols across all stages of a process lifecycle. As IT Development, Operations and Security join to form important cross-domain collaborations, the leap to become security-first is accessible to any organization and within financial reach.
JDK Technologies is a leader in IT services. We build enterprise-level technology solutions that help businesses become agile and increase their speed to value.
© 2019 JDK Technologies. All rights reserved.29 South Webster Street, Suite 350A Naperville, IL 60540
info@www.jdktech.com | (844) 535–6789
info@www.jdktech.com | (844) 535–6789
Comments
Post a Comment