There comes a time in every good security leader’s career where just saying “no” to DevOps won’t work (although we always reserve the right to do so). Instead, we must come up with a solution to the problem at hand. The time is here and now to embrace DevOps. Join Tim Virtue, Chief Information Security Officer for Texas NICUSA, as he explores the “marriage” of DevOps and Security. He will share the successes and failures from three significant DevOps experiences, with a focus on his most recent encounter with the DevOps/Security union in a heavily regulated Financial Services firm. Tim will share his story – from the crying, screaming, and paranoia – to the eventual success stories and lessons learned. You will walk away from this presentation with the knowledge, skills, and shortcuts to persuade even the staunchest security naysayer to change their mind and support, rather than derail, your DevOps program.

1. 1
DevOps:
Lead, Follow, Or Get Out of the Way
A CISO Perspective
Presented by:
Tim Virtue
CISO, Texas.gov

2. The Lawyers Made Me Do It
 Any references to specific organizations, people,
products, or services, are purely examples or learning
opportunities and neither criticisms nor
endorsements
 The views presented are strictly my own and may or
may not represent any organizations or affiliations I
have (mostly because they have not seen the light
yet )
 It’s OK to agree to disagree, but anyone who gets
that worked up over slides needs a vacation

3. ABC Soup & Street Cred
 CISSP, CCSK, CISA, CIPP/G, CFE, ITIL V3, CVE, QGVM,
blah blah blah…
 Over 15 years experience in Security, Risk
Management and IT
 Executive Master of Science in Information Systems
from a top business school
 Cyber Security Instructor, Author & Speaker
 Not bragging – just showing perspective & credibility
– if DevOps can sell me, you can sell it to the greater
security community and your organization

4.  Something to be
ignored
 Something Security
should try and stop
 Something done in
isolation
 A system or tool
implementation
What DevOps Is Not

5. What is DevOps?
 Many things to many people
 A trendy buzzword, but with a powerful ideology
 Not just for “The Unicorn Companies”
 For today, lets focus on key concepts such as Agile,
Culture, Quality, Automation & Tools
 For a great in depth discussion read “What Is
DevOps?” by the Agile admin:
http://theagileadmin.com/what-is-devops/

6. DevOps: My Initial Thoughts
3 Ring Circus
Like I didn’t
have enough
problems when
they
(Development &
Operations)
worked
independently –
now they want
us to work
together –
Seriously???
Puppets, Chefs,
& Vagrants –
These are now
in the
environment – I
don’t know
what this
means, but your
telling me not
to worry –
Really???
We struggle with a few
security basics already
– and now you want to
do everything faster –
Fantastic!

7.  Once I began to
understand the DevOps
shift and that it means
more than a suite of new
tools, I began to feel a little
better
 Communication,
Collaboration and
Integration – these sound
like good things that we
can use more of
 Everyone is doing it –
How bad could it be?
A Light At The End of The Tunnel – But I Still Think It
Could Be A Train

8.  CIA – Confidentiality,
Integrity, Availability
 Slower is better
 Separation of Duties
 Documentation
 Security Says No!
Traditional Security 101

9. How Security Sees Itself

10. How Security Sees Development & Operations

11. How Development & Operations See Security
Security Says…
NO!!!

12. How We All Should Be Seen
Dev OpsSec

13. Faster releases means faster
security fixes
More automation = Less manual
processes (read less human error
& reduced insider threats)
More visibility and involvement
with stakeholders

14. Time For A Change

15.  Security not only embraces but leads a Security
driven DevOps Culture
 We control our own destiny rather than fight an
inevitable and uphill battle
 We manage by risk based approach – but still
achieve our compliance requirements
SecDevOps

16. DevOps Security
 Happens a lot faster, if not “real time”
 Automation
 Less Documentation
 “Blurred” segregation of duties
 Security needs to say yes with secure, flexible,
solutions that address CIA and not loose focus on
what we are really trying to protect

17.  Collaboration
• Work together so the output is
more like SecDevOps
 Communication
• Share what you are doing and
why
• Learn to speak the DevOps
language but share Security
perspectives too
 Innovation
• Work with to find solutions to
support traditional Security 101
goals while supporting new
methodologies
How Do We
Get There?

18.  It is happening one way
or the other – better to
control our own destiny
rather than fight an
uphill battle
 Let us all work
collaboratively to get
our needs met
 Let us show you how it
can benefit you
How Do We Sell This?

19.  Faster releases means
faster security fixes and
less vulnerabilities
 More automation = Less
manual processes (read
less human error &
insider threats)
 More visibility and
involvement with
stakeholders
CISO Benefits – If DevOps Security Is Done Right

20. Some Other Things To Consider
 Security leaders will need to invest time in the
transition so you can help meet existing security
requirements while supporting the mission
 Start small and prove this works
 Get the CISO onboard, he can be your biggest
advocate
 This is a huge shift – it will take time – practice
traditional organizational change management
techniques
 Lead by example

21.  More & Improved Collaboration
and Communication
 More open minds and increased
knowledge
 Flexible solutions that address the
intent of CIA while not getting
hung up on “Old School” and we
have always done it that way
methodologies
 Become change agents in the
security community (including risk
managers, auditors, compliance
professionals)
What Needs
To Change -
Security

22.  More & Improved Collaboration
and Communication
 Innovative ways to support
traditional security objectives
while embracing DevOps
 Put the “No” in Technology and
start speaking the language of
risk management
 Build in security through out the
entire DevOps Lifecycle
What Needs
To Change -
DevOps

23. Where To Start

24.  Focusing on technology and
ignoring organizational culture
 Lack of creativity
 Lack of executive support
 Only select teams/individuals
adopting new methodologies
 Loosing sight business goals and
desired outcomes
Cause of
Failure

25.  Proper training
 Starting small
 Alignment with business
 Creating a culture of agility
 Incremental improvement
 Focus on the intent of security
requirements
 Risk based approach
Cause of
Success

26.  Start today
• You invested the time in this session
– take the next step
 Avoid overthinking
• You don’t need to rollout the perfect
solution
 Iterative approach
• Crawl, Walk, Run
 Be constructively dissatisfied
• Deliver continuous improvement
 Lead by example & and build
controls into the process
Call to Action

27. Thank You!
 Help me spread the message to others
 Build security into your organizational DevOps
culture so that it looks more like SecDevOps
Please check me out on LinkedIn
http://www.linkedin.com/in/timvirtue
Or follow me on Twitter
https://twitter.com/timvirtue

28.  Tim Virtue
• Chief Information Security Officer
• Tim.Virtue@egov.comContact Me