5 Tips for Implementing a Successful SecOps Strategy
July 24, 2017

Pete Cheslock
Threat Stack

What is SecOps? Is it a team, a job title, or a methodology?

Depending on the size of your company, it could be a mix of all three. When smaller companies implement SecOps methodologies, security is everyone's job. Larger companies have entire teams devoted to helping them achieve "SecOps" — making it hard to create a blanket term for the industry.

In broad brush strokes, SecOps is a seamless collaboration between your IT security and IT operations teams. The goal is to streamline security processes, and ensure that every piece of code that makes it into production is as secure as possible.

If you've ever thought of revamping your company's current security operations to make it more agile, or if you've been thinking about building out a SecOps function, here are 5 tips you should keep in mind:

1. Have a plan

When setting out to integrate your security and operations teams, make sure you have a plan in place so you're able to get your SecOps program off the ground and running. In order to pull together a fleshed-out plan, here are some questions you should ask yourself:

■ What are you trying to accomplish?

Advice: Don't try to do everything at once. Focus on one or two things and make sure they are specific, measurable, achievable, relevant, and timely.

■ What is your team going to execute on?

Advice: Be very clear who on your team will do what by when. Ideally, you should create a list of action items that read like a playbook that can be implemented right away.

■ What can you use to help accomplish your goal?

Advice: Most of the time starting a SecOps program involves moving around internal resources, so you might not need to ask for extra resources or budget.

2. Designate stakeholders

Next, make sure you pick the right people to help you get your SecOps program off the ground. I recommend taking a top-down, bottom up approach. You'll need to pitch the C-suite (and other executive decision makers) on exactly how SecOps will benefit the company's security posture (and bottom line).

Next, you'll need to get the developers and security team on your side, as they'll be the people doing a lot of heavy lifting behind this change. It may not be an easy conversation for you to begin, but once you've elaborated on what SecOps can do for your company, the decision to embrace it will become much easier.

3. Train your new team

Traditionally, Security, Dev, and Ops teams are siloed. In some cases your Dev and Ops teams have no idea what their security counterparts are doing, and vice versa. This means when you begin integrating the teams, there will be a significant learning curve for all parties involved. To get your teams up to speed (and ready to implement your SecOps strategy), I recommend you do the following in your first team meeting:

■ Have a security pro share what their day-to-day work is like

■ Have a member of the Dev and/or Ops team share what their day-to-day is like

■ Provide an overview of SecOps use cases (like testing codes for vulnerabilities)

■ Breakdown the new strategy, and list action items so everyone understand the new process, and what they're responsible for

4. Put processes in place

Just like with any new project, you're likely to run into a few problems early on. To make sure your new plan isn't thrown off-course, you should implement processes so that people working together will know how to handle any curveball that comes their way.

Example:

If developer A deploys code, your team should be able to answer:

■ What tool they used to scan for vulnerabilities in the code

■ Who reviewed alerts from the vulnerability scan

■ Who is giving feedback to developer A

Seems simple, right? However, the best way to make sure everyone is on board is to communicate workflows with your team. Provide them with an end-to-end description of tasks, the processes you want to implement, and then repeat and iterate ad infinitum.

Though this sounds like a lot of upfront work, this will save you a great deal of time and legwork later on. It'll also reduce errors that happen when tasks fall through the cracks, and keep everyone on the same page.

5. Know How to Measure Success

You've put this new plan in place — now you should be able to prove that it's working! Chances are your executive team will be wondering how effective this new methodology is. Since you implemented it, chances are that you'll need to prove that any budget and resources you requested are worth it.

Here are some questions you should be able to answer, if your executive team asks, after implementing a SecOps program:

■ Could you deploy a patch today?

■ How often are you able to identify the need for a security patch?

■ How fast do security alerts get to you?

You should also have metrics, or KPIs, to show quantitative improvements in security thanks to your new SecOps implementation. Be sure to tailor these numbers to your specific industry, that way you can measure against what really matters, and show that you're continuing to move the security needle.

Perhaps most importantly when setting up metrics: make them realistic. No matter how thorough you and your team are, your security will never be perfect. Do the best with what you have, and strive for something you think you can accomplish (understanding that there will be some hiccups along the way). Just make sure you always seek to improve, and let your KPIs help keep you moving forward.

Pete Cheslock is Sr. Director, Ops & Support, at Threat Stack

The Latest

August 17, 2017

Mobile SDKs (software developments kits); love them or hate them, they're here to stay. They provide our apps with all sorts of functionality that would be incredibly time consuming to build, and they give us another means to monetize our apps. While it would be difficult to argue that SDKs aren’t useful, it’s also hard for developers to get a good idea of the amount of resources used by each SDK once the app is in production ...

August 15, 2017

A common belief within DevOps circles is that automation not only enables greater frequency of delivery and deployment, but improves its overall success rate. Whenever manual intervention is required, the chances of errors creeping in increases. Human error is a significant factor in many an outage, after all ...

August 14, 2017

DevOps and NetOps are both far more generous in their opinion of the other with respect to prioritization of efforts than traditional archetypes purport them to be, and they have a lot in common – even though they may disagree on details – according to a new survey by F5 ...

August 10, 2017

Only 12 percent of organizations can claim that their whole organization is on the path to business agility even though more than two thirds of survey participants agreed that agile organizations are better able to quickly respond to dynamic business conditions, according to a new survey from CA Technologies ...

August 09, 2017

Alongside its clear benefits, DevOps brings unique challenges when developing and operating a mobile environment. Mobile app developers and development teams face a unique set of requirements relating to collaboration, testing, and release. Technology fragmentation, disparate back-end systems, updates that require user action, and poor instrumentation can impede the DevOps process and become critical roadblocks to agile mobile development, ultimately impacting app retention and the bottom line ...

August 07, 2017

A crashing app might be a deal breaker, no matter how heavy the load that an alternative website entry point can handle would be. It is all about quickly verifying compliance against key functional and non-functional requirements in order to meet aggressive release schedules as part of the Go-to-market strategy. This means positioning unit testing, UI testing, API testing, and, of course, performance and load testing — as pillars of SDLC ...

August 03, 2017

Most software developers make themselves easy targets for hackers, even when they are behind a corporate firewall, according to a new survey from Netsparker Ltd. ...

August 01, 2017

Your top priority is to improve application development agility, but you may run into roadblocks put up by a security team that (mistakenly) believes speed is the enemy of effective cybersecurity. A new survey finds a majority of enterprises are working to overcome those roadblocks by integrating security into their existing DevOps methodology ...

July 31, 2017

Agile development compresses software testing cycles, jeopardizing risk coverage and opening the door for software failures. Here's what you can do ...

July 27, 2017

While 75 percent of organizations highlight continuous testing as critical or important, only a minority of survey respondents have made exceptional progress acquiring the necessary knowledge and key enablers to drive digital transformation, according to a global study by CA Technologies ...

Share this