Dear IT Operations: It’s Time To Get Serious About Security
Okay, I’ll apologize right away to the IT ops teams that are already security-savvy. Hats off to you. But I suspect there are still a few that leave security to the CISO’s team.
On Friday, May 12, 2017, evil forces launched a ransomware pandemic, like a defibrillator blasting security into the heart of IT operations. What protected some systems? It wasn’t an esoteric fancy-pants security tool that made some organizations safe; it was simple e-hygiene: Keep your operating systems current. Whose job is that? IT operations’. Had the victims kept up with OS versions and patches, they wouldn’t have been working over the weekend to claw back from disaster. What’s the path to quick restoration? Having a safe offline backup. Whose job is that? IT operations’. The WannaCry ransomware outbreak is a brutal reminder that IT operations plays a critical role (or not!) in protecting the business from villains.
While headlines get everyone’s attention, there’s another non-news reason for IT operations to step up its security role, and that’s profit. In this age of the customer, the businesses that gain market share and disrupt industries are exceptionally agile; they deliver the features that users want as fast as they want them. DevOps arose from that new reality: to make IT operations as quick and nimble as developers are. In the process (and I would argue that this should be essential to the process), operations people learned a lot more about development, and developers learned a lot more about operations. The infamous “wall” between dev and ops is crumbling, and customers, the business, and shareholders are happier for it.
The next wall to demolish is the one that isolates the security team. The traditional approach of a massive security test/audit, run by the CISO’s team and squeezed between development and deployment, is neither effective nor efficient. Instead every employee must understand their role in keeping the business and its customers safe. End users must watch every email for phishing. Developers must watch every build for vulnerabilities. Operations must leverage its everyday monitoring to also prevent, detect, contain, and mitigate threats.
The natural question is whether this universal attention to security will be a drag on agility. The answer is no. By applying security tools and techniques throughout the software life cycle, shifted left as much as possible, you can maintain, or even improve, security without impeding agility. This means that IT operations team members, among others, must make security part of their everyday thoughts and actions. Tear down that wall! Welcome security professionals onto the team, and embrace DevSecOps. To learn more, have a look at my latest report, Best Practices: Strategies For Making The Crucial Shift To DevSecOps.