Modern CISO challenges: Implementing DevSecOps, improving security operations
We sat down with Aaron Contorer, CEO at FP Complete, to learn more about what enterprises can do to increase their cybersecurity, the challenges related to DevSecOps implementations and improving overall security operations, and much more.
Based on your experience, what difficulties do large enterprises encounter when it comes to managing extensive IT projects? How can these be mitigated using modern technology?
Today’s companies are wrestling with a fundamental conflict. They are supposed to deliver new and increased IT capabilities all the time, yet they are also supposed to provide high levels of security and reliability. How do you make things safe for privacy, and guard against hackers and accidents, when you are supposed to be continually changing and upgrading key systems?
The best IT companies, like Google and Microsoft, know you can only accomplish this with good engineering practices, including DevOps, modern cloud architectures, and modern programming languages. These companies are able to deploy major upgrades to their software every day. So we know it’s a solved problem—but most companies have not adopted the necessary solutions.
In particular, DevOps, including DevSecOps for security, introduces automation and change control to a company’s online infrastructure. DevSecOps tools, when properly used, make online security a practical reality, and provide a level of control and automation that can prevent a company becoming the next Equifax.
Given the complexities of modern security architectures, what are the most significant challenges related to implementing DevSecOps?
Many companies tolerate and subsidize a constant state of crisis and firefighting. Instead of saying “enough is enough,” we need to act like engineers and fix the cause of our problems. The cause is outdated manual engineering systems that were never designed to handle the scale and complexity of modern IT. It’s frightening how many engineers and system operators are forced to deploy and maintain really complex solutions by hand, in an environment where one expired license—or one misconfigured server or account or firewall—can be the difference between success (often safety) and failure.
Frankly, if you do not budget to regulate and automate the control of your cloud systems in the coming year, you can bet on having serious IT failures that will hurt your company, and may even interrupt your business at an executive-or board-visible level. Privacy, security, and uptime are mandatory—and if you care about making it work, hope is not a strategy. Engineers need the support of management to allocate their time and resources, and they need access to proven best practices that can be put in place starting now.
What advice would you give to a newly appointed CISO that was tasked with improving overall security operations for a large enterprise?
First I would say “congratulations, you are probably the first executive in your company ever to take security quite so seriously.” And then I would say “caution, this means that everyone you depend on has old habits of taking security less seriously than you do.” This means you have to navigate the ship through uncharted waters, which requires a firm hand on the wheel.
My most practical advice is: do not get fooled into thinking that improving security requires a grand master plan. If you spend all your time strategizing about security instead of executing, by this time next year, you will be poorer, but no more secure. Instead, understand that many security practices and tools are already proven in the field, and ready for you to implement any time. You don’t need a wizard, and you don’t need a miracle. You need to issue this order to the team: make stepwise improvements in security at every level, starting right away.
My second piece of advice is: security that isn’t automated isn’t actually secure yet. Anything in your system that requires a manual step is going to break at some point, because we humans are not perfect. Even if we set up a server correctly three times, that doesn’t mean the staff will get it 100 percent right the fourth and fifth times when updating the software, scaling up capacity, or recovering hastily from an outage. Anything in your network and servers that must be properly configured, must be automatically configured. If you want things welded the same way every time, you get welding robots. If you want security, you get DevSecOps robots. And you don’t build them by hand either—you get ones that already exist.
How do you see DevSecOps evolving in the near future? What type of impact do you expect AI and machine learning to have on DevSecOps?
The main trend involves including more of the IT system under version management and professional-style engineering. Today, we usually build software and databases quite methodically, but we deploy them on fleets of cloud servers that are hand-installed by a secretive group of IT experts. Guess where the security holes in every month’s news are coming from? Not from the things that are under version control and have formal test case management, but from the secret, ad hoc deployment steps that someone “forgot” to do correctly when they read the plan off the faded napkin. So “Infrastructure as Code” is the big trend—using automated systems like Docker and Kubernetes to ensure complex webs of software and micro-services are always deployed correctly, and their clouds are always configured correctly.
The next big trend, which the major companies have already attained, is a dramatic increase in the tempo of new releases. Once upgrades to new features are fully automated, safe, and reliable, companies are moving to a rhythm in which IT is ready to push out new software every week, and later, every day—with no fire drill, no midnight conference call, just a swift IT factory pushing out a conveyor belt of new software all the time.
The big role of AI is in learning what a healthy system looks like, and identifying the indicators of trouble faster than any human can. Machine learning has an amazing capacity to wade through system logs and status monitors at a scale that would boggle any human brain, looking for that strange-shaped needle in a haystack made of a million other needles.
Advanced companies are monitoring system behavior continuously at the application layer, looking for any sign that users are receiving abnormal service. And quality-sensitive companies are using genetic algorithms or “mutation testing” to inject crazy conditions no one has yet seen, so they can identify system weaknesses at every layer long before any human would have thought to probe them.
No one is going to be out of work in the cloud engineering space. By getting the basics in place, like automated testing and automated continuous deployment, we free ourselves to move up the stack—to work on reliability engineering, on scalability, and ultimately, on delivering new business value and new features to our end users.