Archistry

Survivability by Design™ since 2006

  • Home
  • About
    • Who Is Andrew?
    • C2T System™
    • The Agile Security System™
  • Contact
You are here: Home / Archistry Daily / DevSecOps picnics in the park

November 14, 2019

DevSecOps picnics in the park

As you might know, I really do waffle a bit between loving and hating DevSecOps as a concept. I think it’s great on the one hand because it’s shined a light on a lot of really bad software development practices people like John Viega, Gary McGraw and my friend Sverre Huseby have been talking about for over 15 years…

…but I think it’s bad because people treat having some kind of security automation in their CI/CD pipelines like it’s a picnic in the park—

It’s everything they need to do as far as an enterprise security program, all self contained on one little checkered blanket, sitting in the sunshine with the only problems being ants, flies and the occasional wayward child chasing a football or frisbee.

Really??

In the real world, we go sit down and eat in the restaurant, and your pretty little DevOps-driven entree is consumed sitting in the middle of a buzzing ecosystem that needs to be carefully orchestrated and controlled to make sure the right food gets to the right table at the right temperature.

Just focusing on one customer at one table is as good a way to go out of business as a restaurant as is a modern organization focusing on just the AppSec aspects you can bake into agile software development.

Even if you’re a web-first, SaaS company, that cash cow doesn’t graze in a pasture all by itself. You’ve a lot of supporting infrastructure, processes and information required to actually turn the potential value of that service into the viability of an ongoing business.

But…one of the problems is that many tech and security people just don’t understand how a business works, and that the function of security is to protect and enable the ENTIRE business—not just one piece of it.

So when I see drivel like I saw yesterday in my inbox about how while DevSecOps is somehow now “mainstream” we somehow still have “experts” claiming that the toughest cybersecurity challenges incredulously remain unsolved.

Woah….how can that possibly be, right?

Perhaps it’s because that the “toughest cybersecurity challenges” they’re talking about aren’t really related to breaking into buildings, systems or software, they’re related to the structure and behavior of the PEOPLE in the organization itself.

If you’ve been reading these emails for quite a while, you’ll already know that most of the challenges in security I talk about aren’t what people typically consider “cyber” or “security” because I’m not too terribly interested in the mechanics and the blinking and beeping infrastructure of your control implementations. That’s where most people focus, but that’s not where the problems come from.

Since I started these emails in the beginning of the year, to the launch of the Security Sanity™ newsletter in July to the first publication of The Agile Security System™ in August—and even as far back as when I was teaching the official SABSA Foundation courses years ago…

…I’ve always maintained that what people typically consider “security” isn’t what’s going to make or break your security program’s effectiveness. It’s won or lost looooooong before you pay a “security” vendor a single red cent.

It’s made in how you understand the value your controls bring to the organization and how you make sure you have some way to understand and manage the risks the organizations face due to the use of people, information and technology.

If you want to know more about how to focus your own day-to-day job on getting security right and enabling your organization before the big mirrored ball drops on 2019, then TODAY is the last day to book a call to get started with our 6-week Effective Security Bootcamp individual coaching program.

You really can change your perspective about security and the way you do your job in as little as 6 weeks—but only with the right focus and guidance. If you’re ready to do something different and learn to be more effective with direct oversight, training and guidance from me on a weekly basis, then step 1 is to book your screening call here:

https://archistry.com/go/SecurityBootcamp

Step 2: is that we agree on the problem or skill to address in the program and agree some tangible targets we can recognize as success

Step 3: is to schedule your first of the 6, 30-minute coaching calls for this week so we can get you started, begin to review and correct your work and teach you more effective ways to do whatever it is you do, whether it’s review project architectures, conduct risk assessments or govern the allocation of the work across the security team.

It’s task-based, focused skill development. We’re not talking about wholesale transformation of your security program here. It’s about making you a better you.

But that might not be on your agenda for the rest of the year, and that’s ok.

You’re free to ignore the whole deal – or wait for another time – and lose the $900 discount, which makes the standard one-time payment only $2,497 or two installments of $1,398.

Today’s the last day, and it’s not about the usual 11:59 US/Eastern deadline. This offer expires when I turn out the lights for the day and don’t have any more available slots in my calendar.

If you’re in, great. If you miss it, I don’t want to hear any excuses or trying to get in after today because I’ve been talking about this since the weekend.

Only you can decide when the right time to get better at what you do really is. Whatever your decision, I’m sure it’ll be the right one for you.

Stay safe,

ast
—
Andrew S. Townley
Archistry Chief Executive

Article by Andrew Townley / Archistry Daily / Agile, Agile Security, Coaching Program, DevOps, DevSecOps, SABSA, Security Challenges, Security Skills, Security Value

  • Email
  • LinkedIn
  • Twitter
  • YouTube

EMAIL NEWSLETTER

Want to get DAILY email tips on how to build a more effective security program so you can prove your security investments deliver value to the business?

You can always unsubscribe at any time, and we won't sell your data to third parties.

About Us

Archistry works with you to ensure what you want to achieve actually gets done, linking strategy, risk, governance and compliance to enable sustained exceptional performance Read More…

Testimonials

Andrew is a highly skilled and experienced information systems architect and consultant, which in my view is a rare thing. He is innovative in his thinking and merits the title of 'thought leader' in his specialist domains of knowledge—in particular the management of risk. Andrew has embraced SABSA as a framework and, in doing so, has been a significant contributor to extending the SABSA body of knowledge."

— John Sherwood, Chief SABSA Architect

"Fabulous person to work with. Very engaging and insightful. Extremely good technical knowledge with ability to relate concepts together and overcome differing opinions. Makes things work."

— Kevin Howe-Patterson, Chief Architect, Nortel - Wireless Data Services

"Andrew was able to bring clarity and great depth of knowledge to the table. His breadth of thinking and understanding of the business and technical issues along with a clear and effective communication style were of great benefit in moving the process forward towards a successful conclusion."

— Doug Reynolds, Product Manager, MobileAware

"Andrew is a fabulous consultant and presenter that you simply enjoy listening to, as he manages to develop highly sophisticated subjects in very understandable way. His experience is actually surprising and his thoughts leave you without considerable arguments for any doubts in the subjects he covers."

— Biljana Cerin, Director, Information Security and Compliance

Recent Posts

  • If you want better security, you’d better have a better security architecture
  • The ultimate security song to keep you focused on what you’re doing
  • Security heroes
  • There’s always a people problem
  • Putting your data flow diagrams out to pasture…for good

Looking for something else?

  • Home
  • About
  • Contact

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Copyright © 2006-2025 Archistry Incorporated or its affiliates

"Archistry", the stained glass window logo, "Pragmantix" and the Pragmantix™ logo, "Archistry Execution Framework (AEF)", "Archistry Execution Framework, Cybersecurity Edition (ACS)", "The Agile Security System", "The Agile Business System", "Baseline Perspectives", "Architecture Wall", "Archistry Execution Engine", "Renegade Security", "Renegade Security System", "Security Value Delivery System (SVDS)" "Collapse-to-Traction", "Collapse-to-Traction System", "Adaptive Trust & Governance Model (ATGM)", and "Adaptive Trust & Governance Model for Organizations (ATGM4O)" are trademarks of Archistry Incorporated or its affiliates.