As you might know, I really do waffle a bit between loving and hating DevSecOps as a concept. I think it’s great on the one hand because it’s shined a light on a lot of really bad software development practices people like John Viega, Gary McGraw and my friend Sverre Huseby have been talking about for over 15 years…
…but I think it’s bad because people treat having some kind of security automation in their CI/CD pipelines like it’s a picnic in the park—
It’s everything they need to do as far as an enterprise security program, all self contained on one little checkered blanket, sitting in the sunshine with the only problems being ants, flies and the occasional wayward child chasing a football or frisbee.
In the real world, we go sit down and eat in the restaurant, and your pretty little DevOps-driven entree is consumed sitting in the middle of a buzzing ecosystem that needs to be carefully orchestrated and controlled to make sure the right food gets to the right table at the right temperature.
Just focusing on one customer at one table is as good a way to go out of business as a restaurant as is a modern organization focusing on just the AppSec aspects you can bake into agile software development.
Even if you’re a web-first, SaaS company, that cash cow doesn’t graze in a pasture all by itself. You’ve a lot of supporting infrastructure, processes and information required to actually turn the potential value of that service into the viability of an ongoing business.
But…one of the problems is that many tech and security people just don’t understand how a business works, and that the function of security is to protect and enable the ENTIRE business—not just one piece of it.
So when I see drivel like I saw yesterday in my inbox about how while DevSecOps is somehow now “mainstream” we somehow still have “experts” claiming that the toughest cybersecurity challenges incredulously remain unsolved.
Woah….how can that possibly be, right?
Perhaps it’s because that the “toughest cybersecurity challenges” they’re talking about aren’t really related to breaking into buildings, systems or software, they’re related to the structure and behavior of the PEOPLE in the organization itself.
If you’ve been reading these emails for quite a while, you’ll already know that most of the challenges in security I talk about aren’t what people typically consider “cyber” or “security” because I’m not too terribly interested in the mechanics and the blinking and beeping infrastructure of your control implementations. That’s where most people focus, but that’s not where the problems come from.
Since I started these emails in the beginning of the year, to the launch of the Security Sanity™ newsletter in July to the first publication of The Agile Security System™ in August—and even as far back as when I was teaching the official SABSA Foundation courses years ago…
…I’ve always maintained that what people typically consider “security” isn’t what’s going to make or break your security program’s effectiveness. It’s won or lost looooooong before you pay a “security” vendor a single red cent.
It’s made in how you understand the value your controls bring to the organization and how you make sure you have some way to understand and manage the risks the organizations face due to the use of people, information and technology.
If you want to know more about how to focus your own day-to-day job on getting security right and enabling your organization before the big mirrored ball drops on 2019, then TODAY is the last day to book a call to get started with our 6-week Effective Security Bootcamp individual coaching program.
You really can change your perspective about security and the way you do your job in as little as 6 weeks—but only with the right focus and guidance. If you’re ready to do something different and learn to be more effective with direct oversight, training and guidance from me on a weekly basis, then step 1 is to book your screening call here:
Step 2: is that we agree on the problem or skill to address in the program and agree some tangible targets we can recognize as success
Step 3: is to schedule your first of the 6, 30-minute coaching calls for this week so we can get you started, begin to review and correct your work and teach you more effective ways to do whatever it is you do, whether it’s review project architectures, conduct risk assessments or govern the allocation of the work across the security team.
It’s task-based, focused skill development. We’re not talking about wholesale transformation of your security program here. It’s about making you a better you.
But that might not be on your agenda for the rest of the year, and that’s ok.
You’re free to ignore the whole deal – or wait for another time – and lose the $900 discount, which makes the standard one-time payment only $2,497 or two installments of $1,398.
Today’s the last day, and it’s not about the usual 11:59 US/Eastern deadline. This offer expires when I turn out the lights for the day and don’t have any more available slots in my calendar.
If you’re in, great. If you miss it, I don’t want to hear any excuses or trying to get in after today because I’ve been talking about this since the weekend.
Only you can decide when the right time to get better at what you do really is. Whatever your decision, I’m sure it’ll be the right one for you.
Andrew S. Townley
Archistry Chief Executive