Smart organizations already know that running securely is key to success in today’s competitive landscape. So why isn’t security table stakes in 2018?
Unfortunately, there seems to be a disconnect between what organizations want when it comes to security, and what they’re actually able to put into practice. In Threat Stack’s recent report, Bridging the Gap Between SecOps Intent and Reality, we found that 85% of organizations believe bridging the gap and employing SecOps best practices is an important goal, yet just 35% say that SecOps is a completely or mostly established practice at their organizations, and 18% say it’s not established at all.
It’s clear that the challenge is how to make SecOps work in the real world. Whether you’re challenged by a security talent shortage, siloing between teams, out-of-date skills, or major rifts in perception, it is possible to better integrate SecOps using the right strategy.
To help you apply security best practices to your organization, let’s take a look at four concrete ways that teams can begin to close the SecOps chasm.
1. Start at the Top
If C-level executives deprioritize security, there’s no way SecOps can succeed. Remember: Security has ROI benefits, too, from speeding up sales cycles to opening up entirely new markets. Executives should understand the rewards of running both fast and securely, and should champion the need for secure processes and strategic investment in both people and tooling to support the SecOps cause.
2. Get Real About Where Your Team Stands
What does your team believe about integrating SecOps, and how much knowledge do they have about what an implementation would entail? Survey your team and find out what various teams’ and roles’ attitudes are toward the value of security and the current reality of your organization’s posture. This should give you a sense of where perception gaps exist and what it will take to open everyone’s eyes to where you really stand, so you can move forward with purpose.
3. Teach Your Teams to Fish
DevOps teams need to know how to use security tools and how to incorporate security best practices into their workflows. Security teams, likewise, need to learn how to code and integrate their efforts into continuous deployment cycles. Don’t wait for this process to happen organically; you must make a conscious investment in alignment and education across teams. In other words, teach them to fish, and SecOps will have a much greater chance of becoming a reality.
4. Assess the Risks and Prioritize Accordingly
Overwhelmed by your security to-do list? Start with infrastructure, because this area holds the highest risk and the greatest reward. Make sure you are following configuration management best practices and implementing security alerts that are well-tuned to your unique organization. Securing your infrastructure will have a ripple effect throughout the organization, from app dev to operations.
5. Be Deliberate in Implementation
When it comes to implementing an integrated SecOps program, your organization needs to be deliberate. The most successful SecOps implementations include:
- Strategy: Even the best intentions and ambitions for integrating security and operations can disintegrate if there isn’t an actionable strategy behind them.
- Designated Owners: You have to get the right people involved, and we recommend a top-down approach. As we’ve written, C-level executives need to steer the ship.
- Training: There can be a big gap in understanding between security and DevOps teams, so it’s essential to prepare teams and implement a security awareness program throughout the organization.
- Clear Processes: With people now working together who may not have worked together before, and with several tools required to get the job done, clear and well-documented processes are needed to tie it all together.
- Common Success Metrics: After putting a lot of work into your SecOps plan, you should be able to show that it’s actually working. You should also have some metrics or KPIs, such as Mean Time To Know, to show quantitative improvements from your SecOps implementation. Most importantly, these should be shared KPIs across teams.
SecOps in the Real World
In order to integrate SecOps into your organization, all stakeholders need to have a firm grasp on your reality today and what you want your reality to look like tomorrow. Understanding where things currently stand will allow you and your team to examine current practices with a clear head and agree on what it will take to move forward. By following the recommendations we’ve outlined in this post, you should be able to make solid strides toward implementing SecOps in the real world.
To learn more about what our survey uncovered and how it can be applied to your organization, download your copy of Bridging the Gap Between SecOps Intent and Reality.