Suzi Dyke insight into the change in security — compliance, culture and controls.
Couple of nights ago, we played the Season 1 Episode 05 of the DevSecOps meetup for the attendees. The speaker of the night was Suzi Dyke who shared her insight on changing compliance, culture and controls state of security and how devops and security can work together based on her experience in “Customer-X”.
“Customer-X” — is referring to a joke which came out of the 40mins Q&A session we had post the talk. You should have been there to know the context. :)
Sponsor shoutout before heading into the presentation learnings:
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
My key takeaways from the talk — I took only few pictures as I found myself nodding to a lot of insights being shared.
- With the Data breach mandate australian organisations storing sensitive personal information are legally required to notify of any breach which may cause serious harm. This means that as an organisation, we need to be more aware of where sensitive data is stored and what’s running in the company infrastructure both physical and cloud.
- The need for awareness means the need for governance is growing in an organisation.
- Challenge — governance is a not a one — size fits all problem
- Quote from a conference Suzi attended — “Bad guys are investing 3$ to every 1$ invested in defence by security … one of the current area of interest for bad guys being AI”
- Controls change
- Problem — One of the biggest impact on governance is the volume of changes coming through.
- Challenge — Old company operational checklist of application deployment patterns don’t work in a devops world.
- Past ITIL approach before DevOps— Operational check lists & Change Approval Board — which is a Guide and Prevent model
- Current ITIL approach because of DevOps — Automated, pre-approve, Standard change with automated rollback — which is a guide, monitor and respond model
- Compliance Change
- Continuous Monitoring and Real time assessments are becoming the recommended approach to the constantly changing and non-persistent IT environment.
- Honorary mention of tools — Netflix Simian Army, Tools that help test the security posture.
- Mention of tools to have visibility of security posture, continous protection and compliance on organisation assets.
- Control on Shadow IT
- New skills are required — auditors need to know how to read scripts as most of the controls are scripted.
- Automated compliance check is the way forward
- Culture Changes
- mindset shift from policing to enabling is required from security governance
- mindset shift is required from DevOps team to take ownership of security activities, shifting them “left”
- IT is still changing — IT governance needs to be LEAN, Agile, automated and continuous.
- This however is challenging for organisations with legacy IT.
My favourite quote from the speaker
Automating a bad process make a bad process faster not make it better — review the process before automating it
Personal question(s) that I took away from the talk
- What happens to the good old change management—
- The use of CASB sounds like a control or restriction for developers to progress—
As always feel free to reach out, if you have something that you would like to share or talk about at the next meetup. :)