Help us Obi Wan! The fact is that DevOps is security’s last best hope. The sooner the security industry realizes it the better it will be for everyone.
I read George Hulme’s story today about proceeding with caution and going slow with DevOps. Of course it was no surprise to me that those cautioning to go slow were my fellow security industry professionals. What else do you expect, after all we are the “people who say no”. At least the three folks George interviewed didn’t flat out say no to DevOps. They just advised caution. The fact is that DevOps is security’s last best hope. The sooner the security industry realizes it, the better it will be for everyone.
Let’s be honest. The security industry for the most part has not been a stunning success in keeping our data, apps and infrastructure safe and secure. Some may even say it has been an abject failure. What do you expect though? The game is stacked against us. Almost by definition the entire security industry is by definition a reactive model. We are always one step behind, reacting to the newest moves of the bad guys. To be a security professional is to know failure.
What is worse, we are generally ignored until we fail and then the harsh, bright light of a security breach shines brightly in our eyes. Is it any wonder that so many security folks feel that they are not successful? Our budgets are never enough, we never have enough resources, no one ever does what we ask and not enough people take security seriously enough until after the doo doo hits the fan. Yes it takes a special kind of masochist to be a security person.
It is not by happenstance that in Gene Kim’s book, The Phoenix Project, the poor bastard of the security guy goes out on a bender and comes back at the end having fallen off the wagon?
For all of the aggravation of fighting an impossible to win fight how are security people viewed by the rest of the IT folks and others in the organization. I am sorry to say that all too often we are though of as the crazy person in the back of the room yelling no. Again as in Gene’s book, it gets so bad that people stop inviting us to their meetings. They know what we are going to say, NO, so what’s the point.
There are more enlightened or maybe smarter security folks who don’t say no any longer. Now they say yes do it, but let’s go slow and make sure we understand it. When asked why, these security folks have a built in scape goat. They blame compliance. Yes, f**king compliance. Yeah, that’s the ticket. We have to go slow because our compliance obligations require it. I laughed out loud when I saw this raggedy old flag being hoisted in George’s article.
Compliance is always the fallback of the security guys who say no. I have seen many examples of this over the years. Two of my favorites are:
1. The security guy who asks the IT manager or C-level guy “how do you look in stripes”, because if you do this without going slow and making sure we are compliant, we could all wind up in the slammer.
Hell we didn’t send anyone to jail for bringing this country to the brink of economic ruin. Do you really think we are going to send someone to jail because by adopting DevOps we might blow a PCI requirement? Can we really do any worse than Target?
2. Walking around a US Army base talking to the security officer I asked him how he was dealing with the compliance issues around securing wireless networks on base. He replied that was easy, he forbid wireless networks on base, so they were in full compliance. Of course as he said this I was watching people unplug their WAPs and throw them under their desks as we walked by.
Yes, security folk can fall back on compliance as the reason for our no, but it is tired and old. The same for the security person who are always promising the next magic bullet. If only they had the latest shiny, new budget busting trinket they could finally sleep well at night. Even if they get their new toy, it only turns up that the bad guys have found a new vector and we need the next silver bullet.
No, I am afraid being the guys who says no or even the people who say OK, but let’s go slow is just not going to cut it. The speed of business today at the enterprise or the startup is anathema to the “go slow” mantra.
On the other hand, DevOps offers a new way. A way to change the way the game is played. For so long I have heard security folk wax poetic about the possibility that security could be built in to the process. Instead of being bolted on after the fact, wouldn’t it be great if it were built in by design? Wow, what a great thing that could be.
DevOps has the potential to deliver on the built in dream. DevOps can make the developer more aware of security and even compliance issues while the code is being written. It can give the security team insight and input into the development planning and process.
DevOps has the potential to break down the silo that separates security from the rest of IT. Just as it brings Dev and Ops together, DevOps can give security a seat at the table. Security can move from being the crazy madman in the back to a respectable member of the team.
This security transformation won’t be easy though. It will demand a change in security’s attitude. First and foremost, we have to change from being the people who say no or go slow, to the people who say “yes we can”. We need to understand that many of these projects and initiatives are going to move forward with or without us. Better to get on the bus than to get run over by the bus.
Next we have to do a better job of communicating our concerns or issues. Falling back on FUD or compliance is not cutting it. We need to communicate the risks involved, how we can mitigate the risk and understand that a business decision will be made as to what level of risk is acceptable and how that risk is going to be managed. At that point we have given enough information for the business people to make a business decision. They make the decision, we get behind it, we don’t bitch bite and we move forward.
Security can’t be the people who say no or go slow. When security starts to say yes we can and this is how we do it, security will be given the seat at the IT table that we deserve.