NetOps, SecOps, and DevOps: Merger Material?
The way companies view technology strategy is increasingly filtered through the need for speed. With their cross-functional agile development processes, teams like DevOps are critical to companies aiming to feed the insatiable appetites of today’s digital economy. At the same time, NetOps teams race to deliver flawless performance—in real time—across an ever-more complex environment of data centers, cloud, and virtualized environment. But the bad guys are moving just as fast—or faster—especially with the ever-expanding goldmine of connected devices just inviting them to find a way in. The cyber threat landscape is the new wild west, and security can’t be an afterthought.
Smart organizations are shifting from a reactive approach to one that more closely integrates teams like DevOps and NetOps with security—a strategy that balances technology innovation and risk mitigation. The experts we spoke with at recent cybersecurity executive forum called it the wave of the future
Security: No Longer an Independent Function
“Personally, I think security as an independent function is a thing of the past,” said Chris Wallis, founder of security company Intruder. “We’re going to see a lot more integration with operations and development teams in the future. The security team just doesn’t have the same knowledge about the business as the people who are actually creating the business.”
John Childress, chairman at technology and consulting solutions company Cultursys, agreed. “Technology, enterprisewide operational security, and physical security all must come together under the purview of the chief information security officer, who is connected to all elements of the organization,” he said “Security needs a seat at the table. All too often, security is an afterthought in the planning process.” In addition, according to Childress, there often is insufficient budget to properly mitigate risks. “One of the problems is that security tends to speak in the language of technology, and not the language of business,” Childress added. “They need to frame cybersecurity in terms of the business risks and opportunities.”
Tom Ilube CBE, CEO for Crossword Cybersecurity, also believes DevOps and security teams need to merge, but that separate security oversight will be required as well. “It is important to keep an eye on what those combined DevOps and security teams are doing,” he warned. “Companies will need someone standing at arm’s length to observe it. In general, operational and development teams have to become much more security aware. These teams have to be trained in security and will need someone looking over their shoulder.”
Evaluate Your Risks—and Your Appetite for Mitigation
Ignoring security risks is, for lack of a better word, risky. “Failure to evaluate security risks introduces extra risk that’s hidden below the surface,” said Nic Miller, from cybersecurity firm Aedile Consulting. “It’s important to ask the right questions.” Businesses need to determine their risk appetite, he added. “Is that appetite appropriate for the size of the company, for the type of data they hold, for the industry they’re in? It’s crucial to gain a good understanding of how much risk you’re carrying in cyber and how it’s going to change as you grow.”
The jobs of chief security officer, chief technology officer, and chief transformation officer increasingly are coming together in a single role, according to Michael Fieldhouse, social impact practice leader at DXC Technology. “To support digital transformation,” he said, “companies need an agile environment. A vital component of that environment is having a security doctrine. It’s a bit like having kids. Are you willing to let them run off and fail, and then pick themselves up? Or do you want to work with more guardrails? Do you prefer to have a more methodical process? The challenge for most organizations is determining what design works best for them and what appetite for risk they’re willing to tolerate.”
The cyberspace land grab is in full force, and for every fence you put up—regardless how innovative—there’s a criminal eager run through it. Securing your boundaries up front by combining integration operations with security s is one way to help keep the criminals at bay.
Note: The information above is based on interviews conducted at the June 2019 WSJ Pro Cybersecurity Executive Forum by Wall Street Journal reporters on behalf of NETSCOUT
Watch interviews with WSJPro Cybersecurity Executive Summit attendees here.