Expert CISO Advice On Building An Effective DevSecOps Team

Tips from an expert panel of CISOs on deploying an effective DevSecOps team.

Infosec24 - Building A Better DevSecOps Team

At Infosecurity Europe 2024, an expert panel of CISOs including: Kevin Fielder CISO, NatWest Boxed & Mettle; Ayse Vlok, Head of Platform Security, Dentsu; Tash Norris, CISO, Zopa Bank; and Jonathan HugheClient Partner, Istari-Global, discussed how teams can build an effective DevSecOps team.

Why it matters: It’s critical that organizations can build an effective DevSecOps team and strategy in order to catch software vulnerabilities, ensure compliance, and reduce risk, without impacting on time-to-market and cost. 

  • 17% of all cyber attacks target web application vulnerabilities (Source)
  • Over 29,000 common vulnerabilities and exposures were found in 2023 (Source)
  • The global DevSecOps market is set to reach USD 18,230 million by 2027 (Source)

What the panel covered: The panel covered building better people, processes, and technology from a DevSecOps perspective.

People – DevSecOps skills: How can you equip your team with the skills you need to succeed?

  • Internal bug bounty programs are a great way to reward teams to find security bugs. It educates in a fun way, with a clear purpose.
  • Implement threat modelling. You not only get more secure designs, but it’s subtle training. You get people to start thinking like adversaries.

Processes – DevSecOps Process: How do you ensure your compliance and audits frameworks are in place?

  • In general, the SecOps frameworks are either very high level, or they have to be really technically detailed. It requires deep analysis and understanding of the actual tools and platforms to come up with guidance for DevOps engineers to follow. Provide templates to engineering vendors to, for example, provision resources within the cloud platform.
  • You can have very detailed frameworks, but none of the engineers read all of the policies and documentations. It’s good for audits and regulators but it’s not an effective control. We have to automate it.
  • Step back and look at what the project requirements are. Codify and automate as much as possible. Demonstrate how you meet that intent. No one expects you to be perfect and have everything in place, but they do expect you to have a plan.

Technology: Finding the right DevSecOps tools: What is the right approach to find the right DevSecOps tools?

  • Having the right people and the right culture will lead you to the right tools. Have a security team embedded with the engineering teams. Look at tools that integrate in the pipeline. Look at tools that have good reporting. Even if you implement multiple tools in the pipeline, you need to have the data accessible from one place where you can access it. Automation, integration, and the reporting are the key things to look for. I would also add consolidation. Think about the overhead you’re adding for other teams as well.
  • Understand the metrics your engineering teams target. When looking for tools to go into the CI/CD pipeline, it’s important to know what your teams are looking. Understand the use cases of solutions and be tightly aligned with the strategic direction of your company and the metrics you’re talking to. 

Further Reading: