CISO View Insights from the Global 1000: Five Steps for Integrating Security with DevOps

January 16, 2019 Chris Smith

The Challenge – Security vs. Velocity

While organizations are increasingly adopting DevOps tools and methodologies and seeing tremendous business benefits, it is not always clear that security remains a priority. The truth is that, while developers want security, when security threatens to slow down getting new applications to customers (whether internal or external), security suffers.

It’s an issue CISOs across the globe face – how do you prioritize security without impacting developer velocity?  CyberArk, in conjunction with independent research firm Robinson Insight, has assembled an expert panel of CISOs from the world’s leading organizations to discover their best practices and real-world insights into protecting privileged access. Here are some of their key ideas.

Top Five Tips for Integrating Security into the DevOps Environment

1.) Transform the security team into DevOps partners. Many DevOps practitioners do take security seriously; in fact, in the Sonatype DevSecOps Community Survey 2018  91% agree that “security is part of everyone’s job.” So, for security, the challenge can be harnessing the developers’ beliefs and energy. For example, security teams can engage more effectively by getting up to speed on DevOps tools and techniques. They can also help developers to do the right thing by offering reusable code modules, and self-service approaches that make it easier for developers to adopt good security practices.

2.) Prioritize securing DevOps tools and infrastructure. Some important places to get started are reducing the concentration of privilege in the build automation tools and ensuring that code repositories do not expose secrets.

3.) Establish enterprise requirements for securing secrets and credentials. Instead of struggling to consistently control and monitor secrets dispersed across multiple DevOps tools, a better approach to reducing risk and saving time is to implement a centralized secrets management system. The centralized secrets management platform can then be used to ensuring that users, whether human or machine, don’t see the actual credentials.

4.) Adapt processes for application testing. With DevOps teams making multiple releases per day, security needs to implement new, automated approaches so as not to slow the process down. For example, security can develop automated, updated processes, such as a “break the build” approach.

5.) Evaluate the results. In most cases, improving the security of DevOps environments happens through many incremental advances. Teams should highlight each success and then build and expand from them. For example, organization can use metrics to show how much of the attack surface has been addressed and how effective controls are.

The CISO View – DevOps and Cloud Environments

These insights are a small sample of the information assembled by a diverse body of CISOs. Working with the panel of expert CISOs, CyberArk has created a report that provides security leaders with important insights and education.  Contributors to the report include security and IT executives from ING Bank, CIBC, Rockwell Automation, Lockheed Martin, Starbucks, Pearson, Asian Development Bank, American Express, NTT Communications, Carlson Wagonlit Travel, Orange Business Services, American Financial Group (AFG) and GIC Private Limited.

The goal of this report, The CISO View, is for security leaders to be able to leverage these experiences and apply them in your own environments. Security and DevOps can be stronger together – The CISO View experts can show you how to get them there.

Download the Full Report

To learn more…

Download the free report.

Watch a brief video that highlights the top 5 recommendations.

Read the press release.

Attend the webinar on February 26th.

Visit the CISO View page.

Previous Article
7 Ways CyberArk Simplifies Deployment, Integration and Scaling of Privileged Access Management
7 Ways CyberArk Simplifies Deployment, Integration and Scaling of Privileged Access Management

CyberArk aims to make implementing and managing a robust privileged access program as easy as possible for ...

Next Article
Securing Containers: Understanding and Mitigating Vulnerabilities
Securing Containers: Understanding and Mitigating Vulnerabilities

In an On the Front Lines Webinar, we explored container-specific security vulnerabilities and the technique...