Like you, I get a lot of “You MUST watch this webinar” types of emails, and one of the last ones I got that somewhat piqued my interest given some things I’m helping a coaching and mentoring client with was a new one about the ever-present pipe dream promise of “Shift left” with DevSecOps.
Ostensibly, it was about all the issues in getting cross-functional teams to work. But what it was really about was that DevOps has issues since the developers are really just cowboys on the frontier of container development, and they don’t have any discipline, they share passwords, they don’t have isolated environments, and….
SSDP (where “P” is for “platform” rather than “day”).
And, of course, all these wild cowboys could be corralled back at the security ranch…if only you buy this nifty CI/CD security tool that makes sure they’re playing in the PAM playground rather than punching passwords on their lonesome, all lost in the wilderness.
Tools are certainly part of any viable solution. But tools alone – no matter how much you force them down people’s throats – aren’t going to solve it.
Since I seem to have gotten into a cow vibe, I thought it’d be worth telling you a little story about growing up on the farm. When I was a kid, we used to have this vet named Doc James.
Not, Dr., mind you. It was “Doc” James.
Anyway, this guy was one of the most impressive guys I’d ever seen—even next to my dad, and that’s saying something, because I think my dad was pretty cool.
Well…one of the things Doc James could do was that he was in such good shape at the time that he could give a shot to a cow, steer or other bovine beastie…
…simply by running along side it, jabbing it with the syringe, and the job was done.
It was pretty impressive—especially if you’ve ever been up close and personal with a big-boned beef cow—or their 1,200 lb. offspring.
But the thing was, you didn’t always call the vet when an animal got sick. Sometimes, you knew what they needed, and you treated them yourself. But there was no way that either me (I think I was 5 or 6 at the time) or my dad had either the agility or the experience of Doc James.
So, we had the next best thing: the cattle chute.
If you’ve never seen one of these, they’re the width of a cow, you drive the cow inside, clamp the doors shut behind their head, put a pole behind them, so they can’t back out if the would somehow get their head loose because you didn’t get it closed quite quick enough…or quite hard enough (which, of course…never, ever happened).
Once they were there, all wide-eyed, agitated and blowing cow-snot all over the place, you had to give them a shot.
Now some of these rascals really didn’t want to be there, and I remember my dad broke more than one needle and syringe off trying to inject them.
But then…eventually, my dad learned the trick.
Basically, you pounded them in the hip rather hard a few times, then jabbed only the needle into the muscle. They winced, but it wasn’t that big a deal. Once the needle was in, then you attached the syringe, gave them the shot (or more than one, if required), and off everyone went on their merry way.
Ok, so you might be thinking: what’s the point, Andrew? They’re cows.
Well, I can tell you, that’s not the important part of the story.
The important part of the story is we have 3 major players…let’s call them stakeholders…in this whole scenario: you have the vet, whose objective is to give the cow a shot. You have my dad, who also has the same objective when the vet isn’t around. And you have the sick cow.
The vet, expert that he was, didn’t need anything but his wits, his legs, and a syringe full of whatever it was the cow needed. No issue, and the job was done.
My dad – originally, at least – had the same tools. In fact, he actually had “fancier” tools, because his tools meant the job should’ve been technically easier to do…
…but it wasn’t.
And the reason it wasn’t was because the thing that was missing wasn’t the tool.
It was a set of behaviors.
Once you have the behaviors, the tool choice boils down to value-for-money and personal preference.
If you don’t have the behaviors, all the fancy tools in the world aren’t really going to help you. Even if you had a dart gun, you’d still have to have the skill to shoot the cow with it.
Developers don’t mix-and-match environments and get lackadaisical with secrets because they don’t have the tools.
That stuff happens because they don’t have the right behaviors—or maybe they don’t know what the rules really are, because they’re too busy poo-pooing all over those “antiquated” and “outdated” organizational security policies as they’re rewiring the world to run on infrastructure as code. It’s really hard to say.
So that means it’s either a policy problem, a policy translation problem and/or, at the root of the whole thing, a governance problem—not a tool problem.
Because, until you have the right behavior…until you’ve integrated policy INTO your tools…
…not REPLACED policy with whatever functionality the tool happens to have…
…will you actually have any confidence you’re keeping the organization safe.
How do you do that?
Well, I have no idea how YOU can do that, because I don’t know anything about the real challenges you’re facing, the constraints you’re under and what you really have to work with. As such, apart from some general advice about where you might start, it’d be obscenely arrogant and borderline asinine for me to even try.
But if you do want to do something about it…if you’d like to start figuring out how hard it’d be to identify – and ultimately fix – some of the core problems plaguing your security program that no tool will ever be able to touch…
…you might be interested in checking out this link:
It’s not for everyone. It’s expensive, and there’s no guarantee I can even help you—or that you’re willing to do what it takes to help yourself.
But you won’t know if we never talk about it, so maybe visiting that link, scrolling to the bottom and booking an eligibility interview might be worth your time. Or…it might not.
Only you can answer that question. In the meantime…
Andrew S. Townley
Archistry Chief Executive