Development teams may be using the latest and greatest technology to build amazing products, but security does not always keep the same pace. In the recent “What Will it Take to Reach DevSecOps Maturity?” episode of the ISACA® Podcast, Shannon Lietz, Adobe’s VP of Vulnerability Labs, discussed some of the opportunities for security teams to become trusted partners, providing a roadmap for how DevSecOps needs to evolve to reach necessary maturity, as well as some of the efforts that can help the broader security industry strengthen this essential security muscle.
“You can go look at the original design of computers and I think they actually had security built in … but as you see that natural progression of where something gets invented and how things eventually get commoditized, I think it became really obvious that because we didn’t have the quality standards for how people were going to create compute workloads and commoditize, that they naturally got left out,” Lietz said. “And they were left out in such a way that the customer started demanding that security be put back in, like the beginning of the firewall and intrusion detection systems. All of those came from demand that this is a problem that needs to be solved.”
Even now, it seems that our current processes are still not enough to keep us secure. “We are targeting things like safety as our ultimate destiny, building things to be perfectly secure rather than resilient or adversary resilient,” Lietz said. “We want to be both perfect and resilient as much as possible, but you have to do tradeoffs to make things happen. The North Star has to be more adversary resilience … We can create a set of standards or guidance and then build off of those, but if they aren’t directed by data or a North Star of adversary resilience, then we are essentially kind of guessing.”
Lietz shares key best practices that organizations can implement to help change their security culture, including improving accessibility, being transparent and having open conversations, especially about how the industry is not perfect and figuring out which problems to invest in.
“I think there is a future of security becoming more native to modern workflows, but it will require us to realize that we have to change, invest, innovate and improve,” Lietz said. “The current state of being just OK with the status quo or treating it like a checklist is a rallying cry for the industry to make this bold move to the next phase.”
To learn more about DevSecOps maturity, listen to “What Will it Take to Reach DevSecOps Maturity?” on the ISACA website or stream it on Apple Podcasts, Podbean, Spotify or Stitcher.