04-30-20 - Security Should Shift Left, Up, and Then Spin Around

Security Should Shift Left, Up, and Then Spin Around

April 30, 2020

CISO | Security Vendor Relationship Series

This week's episode of Defense in Depth

DevSecOps

DevSecOps

 On this episode of Defense in Depth:

Co-host Allan Alford and sponsored guest Sumedh Thakar, president and chief product officer, Qualys, discussed:

  • It's debatable whether the term "DevSecOps" should even exist as a term. The argument for the term is to just make sure that security is part of the discussion, but security people feel that's redundant.

  • Security is not an additional process. It should be baked in. It's an essential ingredient.

  • But should it really be seen as "embedding" or rather a partnership? Developers and operations operate as partners.

  • Instead of dumping security tools on developers and just demanding "implement this" security needs to go through the same transition development had to go through to be part of "Ops".

  • As DevOps looks forward to what's next, how can security do the same?

  • Security is unfortunately seen as an afterthought, and that's antithetical to the DevOps philosophy.

  • Security is an innate property that imbues quality in the entire DevOps effort.

  • Security will slow down DevOps. It's unavoidable. Not everything can be automated. But, if you deliver the security bite-sized chunks you can get to an acceptable level of speed.

  • Business needs to specify the security requirements since they were the ones who specified the speed requirements. That's how we got to DevOps in the first place.

Thanks to this week's sponsor of Defense in Depth, Qualys.

is a pioneer and leading provider of cloud-based security and compliance solutions.

 

Yaron Levi, CISO, Blue Cross Blue Shield of Kansas City on useful metrics

 TWO CISO Series Video Chats 

Tomorrow [5-1-20] Hacking the Security Stack

Join us for “Hacking the Security Stack: An hour of critical thinking about what is going to disappear and what you’ll introduce in the security program of the future”.

Friday, 5-1-20 at 10 AM Pacific/1 PM EasternREGISTER

Next Friday [5-8-20] Hacking the Speed of GRC

Join us for "Hacking the Speed of GRC: An hour of critical thinking of how we can improve the governance, risk, and compliance process".

Friday, 5-8-20 at 10 AM Pacific/1 PM EasternREGISTER

Best Moments from "Hacking the Modern Workforce"

Best Moments from "Hacking the Modern Workforce" Video Chat

Here are seven minutes of the best moments from "Hacking the Modern Workforce" Video Chat. To watch the full video go here.

I moderated a discussion with Davi Ottenheimer, vp, trust and digital ethics for Inrupt and John Racine, managing director, Core Security.

Huge thanks to everyone who participated, and see the blog post for the best quotes from the chat room. Lastly, congrats to Dutch Schwartz of AWS for offering up the second time in a row the best bad idea. Watch the video for that moment and how they handled it.

For as long as we can handle it, our video chats will be happening every Friday at 10 AM Pacific/1 PM Eastern. Please follow us on Crowdcast to get announcements of each new video chat and also be alerted the moment a video chat goes live.

Thanks to our video chat sponsor, Core Security.

Core Security
Marnie Wilking of Wayfair on GRC

SUBSCRIBE TO BOTH PODCASTS

Go ahead and click on any of these links to subscribe to the podcast feed of your favorite podcast catcher.

If you're already a subscriber, THANK YOU! If you like either or both shows, please tell all your friends on social media and write a review on iTunes.