Progress has always changed the way businesses operate, as new market demands are met with new products, underpinned by new technologies. For instance, windmills improved delivery for flour, trucks allowed more to be delivered faster, and telephones connected companies in real-time with customers, no matter where they were.

Such an evolution is currently underway again. Its pinnacle is the digital business, an agile enterprise that conducts transactions more efficiently and effectively than ever before. They do so by being cloud-native companies, adopting open platforms as well as fluid development methodologies often referred to as DevOps.

But in this digital evolution, cybersecurity has been slow to adapt. In 2017, the Word Economic Forum rated cybersecurity as one of the top risks facing the world today. Our recent Executive Guide to the NTT Security 2018 Global Threat Intelligence Report shows how extensive this risk is. It highlights that although finance was the most attacked sector over 2017, technology achieved the unenviable kudos of achieving a 25% increase in attacks, globally.

Traditional security is a reactive force, applied after other processes. There are several reasons for this, not the least because cybersecurity is often treated as a grudge purchase . It makes do with budgetary scraps after other requirements have been met. But such an approach is incompatible with the new business evolution and demands a new approach: the DevSecOps way . DevSecOps seeks to use the lessons already applied to the development process and apply them to the implementation of security.

The new business evolution demands a new approach: the DevSecOps way. Read more @Dimensiondata. Tweet this

Welcome to DevSecOps

DevOps speaks of continuous integration, continuous development. It attempts to create more flexibility in an organisation’s environment, enabling teams to make changes and test innovations without disrupting the larger company ecosystem. The door, in turn, is opened for incremental improvements and low-risk-high-reward experiments. By integrating cybersecurity with the continuous integration and continuous deployment pipelines, the security team is able to participate in rapid feedback loops to detect and resolve problems before they become a production issue. This reduces remediation cost and improves software quality. In a DevOps environment, projects aren’t scoped for months with gargantuan budgets. They operate over weeks, proving their muster before gaining more resources.

The entire business has to embrace this new agility. Traditional structures don’t have the flexibility to bend with the needs of an agile business. Priorities in the agile world are all systematically included and scaled. Instead of first building walls, then a roof, then windows and doors, everything is done at once, then scaled and improved.

But if security is left waiting in the wings instead of participating, it creates big problems. Traditional security is impeding agile companies, bogging down project and process development, even derailing them completely. The old way of shoehorning security into completed projects simply does not work anymore. Security needs to be there every step of the way, hence DevSecOps and the larger vision of cybersecurity agility.

Establishing cybersecurity agility

The good news is that a business doesn’t need to be radically, digitally mature in order to become agile. This is something that can be introduced early, even helping forge a truly digital and agile future.

But there’s a catch: cyberagility isn’t a service that one can buy. It doesn’t arrive in a box, or application. The reason why cyberagility can promote overall flexibility and pragmatism is that it requires a mindset change across the entire organisation.

From a DevOps perspective, organisations have to realise that if security is left out of culture, there are only two outcomes: either security is going to slow down development cycles and release, or deployment will happen without security oversight, and therefore increase risk. Both scenarios are an open invitation for business disruption leading to security breaches, reputational damage, business process/product failure, or regulatory fines.

The traditional paradigm of cybersecurity as a grudge purchase has to make way for security as a strategic imperative. Think about it this way: if a food processing plant only tested its final products for contamination, instead of enforcing a hygiene culture all along the assembly line, it’s going to lose more products, have little control over any contamination in its processes, and even risk poisoning its customers. So food safety is a crucial, business strategy level element.

Cybersecurity agility is the exact same. If the security practices aren’t baked in throughout the development cycle, a business won’t have control and lose dearly when things go bad. Therefore, cybersecurity must be a topic the C-suite appreciates and includes as a valid risk consideration. Attitudes that security is expensive and slows down time-to-market must be shifted to security as a core business requirement for successful products, services and processes. Likewise, the belief that cybersecurity is the problem of the CIO or CISO needs to be replaced by an acceptance that security is holistically on the entire leadership’s plate .

Security is holistically on the entire leadership’s plate. Read more @Dimensiondata. Tweet this

Top-down and down-up

In fact, that holistic definition spans the entire organisation. Cyberagility isn’t exclusively a top-down requirement. Even though leaders should visibly accept and encourage cyberagility as a business pillar, it’s as important for employees to see the value at a granular level.

This is where DevSecOps is arguably the most potent, as those involved in the workflows will see the benefits of agile security in an agile environment. Everyone has the mandate to develop this capacity, as everyone will see the benefit. Governance can be used as a means to encourage a cyberagility framework on different projects. The person with the security mandate, such as the CISO, should engage with different stakeholders and glean their requirements. The business must collaborate to help bake security into processes, and not as an addendum.

Agile is the new way to run a business, and cyberagility is critical if those businesses ever hope to rein in security costs, reduce delays caused by security requirements, and know they’re producing safe outcomes that flow with the organisation. To get the advantage of cyberagility, companies must consider the following:

Cybersecurity agility isn’t a service that can be procured. It requires a paradigm shift in the company’s culture. Read more @Dimensiondata. Tweet this

• Cybersecurity agility isn’t a service that can be procured. It requires a paradigm shift in the company’s culture.
• Like DevOps, DevSecOps encourages security as part of the course instead of an explicit stage in the design process – the need to “shift left” in the application development lifecycle to secure applications from build time through to run time.
• Cybersecurity can no longer be bolted on after the fact, but rather needs to be embedded by design. This can be achieved by integrating into the same processes and tools already in use by developers and operations teams. Examples might include source code scanning, vulnerability management, compliance configuration validation, and patch deployment tools. This integration enables cybersecurity to latch on to development and automation tooling, which in turns ensures it will move at the speed of digital business. Continuous deployment requires continuous validation.
• Cyberagility cannot be left to a specific individual or unit. It has to be part of the overall business discussion, as well as the nuances of projects whereby cybersecurity serves as the business partner or facilitator to enable digital transformation securely, rather than its traditionally perceived gatekeeper role. This requires collaboration and understanding of business outcomes.
• Responsibilities for this can be mandated to someone such as a CISO, who can liaise with different people in the company to align security with their projects as an ongoing presence. But those projects are as responsible as the security personnel, if not more so.