Our site uses cookies to make it work and to help us give you the best possible user experience. By using our site, you agree to our use of cookies. To find out more about cookies and how you can disable them, please read our cookies statement. 

Cookie Settings

You can manage your cookie settings by turning cookies on and off.

Click on the different cookie  headings to find out more about the types of cookies we use on this site and to change your settings. Please be aware that if you choose to turn off  cookies, certain areas of our site may not work and your browsing experience may be impacted.

For further information on how we use cookies, please see our cookies statement. 

Strictly Necessary Cookies

(Req)

These cookies are essential for the technical operation of and proper functioning of our site  and enable you to register and login, to easily move around our site, and to access secure areas. Without these cookies our site won't function properly.  

These cookies are required

Performance Cookies

Performance cookies allow us to collect aggregated and anonymous data on how our site is used, such as the number of visitors to our site, how you navigate around and the time spent on our site and also to identify any errors in functionality. These cookies also help us to improve the way our site works by ensuring that you can find what you’re looking for easily, to better understand what you are interested in and to measure the effectiveness of the content of our site. 

Marketing Cookies

These cookies allow us to advertise our products to you and allow us to pass this information on to our trusted third parties so that they can advertise our products to you on our behalf. All information these cookies collect is aggregated and therefore anonymous. No personal information is shared to third parties. Any personal information collected while using our website could be used for direct marketing from Dimension Data only.

Bringing business agility to security

Mark Thomas

Group CTO Cybersecurity, Dimension Data

Follow on LinkedIn

Explore the latest cybersecurity developments

Discover how the latest security threats are impacting on specific regions and vertical markets.

Get the insights here

Progress has always changed the way businesses operate, as new market demands are met with new products, underpinned by new technologies. For instance, windmills improved delivery for flour, trucks allowed more to be delivered faster, and telephones connected companies in real-time with customers, no matter where they were.

Such an evolution is currently underway again. Its pinnacle is the digital business, an agile enterprise that conducts transactions more efficiently and effectively than ever before. They do so by being cloud-native companies, adopting open platforms as well as fluid development methodologies often referred to as DevOps.

But in this digital evolution, cybersecurity has been slow to adapt. In 2017, the Word Economic Forum rated cybersecurity as one of the top risks facing the world today. Our recent Executive Guide to the NTT Security 2018 Global Threat Intelligence Report shows how extensive this risk is. It highlights that although finance was the most attacked sector over 2017, technology achieved the unenviable kudos of achieving a 25% increase in attacks, globally.

Traditional security is a reactive force, applied after other processes. There are several reasons for this, not the least because cybersecurity is often treated as a grudge purchase . It makes do with budgetary scraps after other requirements have been met. But such an approach is incompatible with the new business evolution and demands a new approach: the DevSecOps way . DevSecOps seeks to use the lessons already applied to the development process and apply them to the implementation of security.

The new business evolution demands a new approach: the DevSecOps way. Read more @Dimensiondata. Tweet this

Welcome to DevSecOps

DevOps speaks of continuous integration, continuous development. It attempts to create more flexibility in an organisation’s environment, enabling teams to make changes and test innovations without disrupting the larger company ecosystem. The door, in turn, is opened for incremental improvements and low-risk-high-reward experiments. By integrating cybersecurity with the continuous integration and continuous deployment pipelines, the security team is able to participate in rapid feedback loops to detect and resolve problems before they become a production issue. This reduces remediation cost and improves software quality. In a DevOps environment, projects aren’t scoped for months with gargantuan budgets. They operate over weeks, proving their muster before gaining more resources.

The entire business has to embrace this new agility. Traditional structures don’t have the flexibility to bend with the needs of an agile business. Priorities in the agile world are all systematically included and scaled. Instead of first building walls, then a roof, then windows and doors, everything is done at once, then scaled and improved.

But if security is left waiting in the wings instead of participating, it creates big problems. Traditional security is impeding agile companies, bogging down project and process development, even derailing them completely. The old way of shoehorning security into completed projects simply does not work anymore. Security needs to be there every step of the way, hence DevSecOps and the larger vision of cybersecurity agility.

Establishing cybersecurity agility

The good news is that a business doesn’t need to be radically, digitally mature in order to become agile. This is something that can be introduced early, even helping forge a truly digital and agile future.

But there’s a catch: cyberagility isn’t a service that one can buy. It doesn’t arrive in a box, or application. The reason why cyberagility can promote overall flexibility and pragmatism is that it requires a mindset change across the entire organisation.

From a DevOps perspective, organisations have to realise that if security is left out of culture, there are only two outcomes: either security is going to slow down development cycles and release, or deployment will happen without security oversight, and therefore increase risk. Both scenarios are an open invitation for business disruption leading to security breaches, reputational damage, business process/product failure, or regulatory fines.

The traditional paradigm of cybersecurity as a grudge purchase has to make way for security as a strategic imperative. Think about it this way: if a food processing plant only tested its final products for contamination, instead of enforcing a hygiene culture all along the assembly line, it’s going to lose more products, have little control over any contamination in its processes, and even risk poisoning its customers. So food safety is a crucial, business strategy level element.

Cybersecurity agility is the exact same. If the security practices aren’t baked in throughout the development cycle, a business won’t have control and lose dearly when things go bad. Therefore, cybersecurity must be a topic the C-suite appreciates and includes as a valid risk consideration. Attitudes that security is expensive and slows down time-to-market must be shifted to security as a core business requirement for successful products, services and processes. Likewise, the belief that cybersecurity is the problem of the CIO or CISO needs to be replaced by an acceptance that security is holistically on the entire leadership’s plate .

Security is holistically on the entire leadership’s plate. Read more @Dimensiondata. Tweet this

Top-down and down-up

In fact, that holistic definition spans the entire organisation. Cyberagility isn’t exclusively a top-down requirement. Even though leaders should visibly accept and encourage cyberagility as a business pillar, it’s as important for employees to see the value at a granular level.

This is where DevSecOps is arguably the most potent, as those involved in the workflows will see the benefits of agile security in an agile environment. Everyone has the mandate to develop this capacity, as everyone will see the benefit. Governance can be used as a means to encourage a cyberagility framework on different projects. The person with the security mandate, such as the CISO, should engage with different stakeholders and glean their requirements. The business must collaborate to help bake security into processes, and not as an addendum.

Agile is the new way to run a business, and cyberagility is critical if those businesses ever hope to rein in security costs, reduce delays caused by security requirements, and know they’re producing safe outcomes that flow with the organisation. To get the advantage of cyberagility, companies must consider the following:

Cybersecurity agility isn’t a service that can be procured. It requires a paradigm shift in the company’s culture. Read more @Dimensiondata. Tweet this
  • Cybersecurity agility isn’t a service that can be procured. It requires a paradigm shift in the company’s culture.
  • Like DevOps, DevSecOps encourages security as part of the course instead of an explicit stage in the design process – the need to “shift left” in the application development lifecycle to secure applications from build time through to run time.
  • Cybersecurity can no longer be bolted on after the fact, but rather needs to be embedded by design. This can be achieved by integrating into the same processes and tools already in use by developers and operations teams. Examples might include source code scanning, vulnerability management, compliance configuration validation, and patch deployment tools. This integration enables cybersecurity to latch on to development and automation tooling, which in turns ensures it will move at the speed of digital business. Continuous deployment requires continuous validation.
  • Cyberagility cannot be left to a specific individual or unit. It has to be part of the overall business discussion, as well as the nuances of projects whereby cybersecurity serves as the business partner or facilitator to enable digital transformation securely, rather than its traditionally perceived gatekeeper role. This requires collaboration and understanding of business outcomes.
  • Responsibilities for this can be mandated to someone such as a CISO, who can liaise with different people in the company to align security with their projects as an ongoing presence. But those projects are as responsible as the security personnel, if not more so.

Threat intelligence alerts!

Gain insight into the latest threats that could impact your organisation. We have insight from 40% of the world's internet traffic

Subscribe here

How we can help you

Managed security services

Managed security services

We offer consistent services to manage and optimise your security infrastructure.

Read more
Managed intrusion detection and prevention

Ransomware protection

Predictive cybersecurity protection to help you prevent, detect, and contain ransomware before it’s too late.

Read more
Security advisory services

Security advisory services

We formulate processes and policies to help ensure that your business is fully compliant.

Read more

Careers at Dimension Data

Be part of our global team of cybersecurity experts.

130x60