I used to have a blog. My old blog content is probably still hiding somewhere on archive.org. The death of my last blog was the culmination of a fading interest in blogging and a desire to simplify by reducing the number of things that needed my attention and time. I eventually came to the realization that I wanted to do other things and maintaining a blog wasn’t one of them.
This time around I’m trying Hugo and I have an interest in spreading awareness in the infosec community. The motivation stems from attending the 2017 O’Reilly Security conference. Conferences are a great opportunity to network with people from a range of organizations and gain exposure to different perspectives.
One topic caught me off guard, a philosophy I like to call Agile Security. The term Agile Security hasn’t reached critical mass yet and it’s competing with terms like DevSecOps and Rugged DevOps. They’re all fundamentally the same concept. Distilling down to basics it’s about agility. It’s about InfoSec not being a blocker and improving agility where possible.
I was caught off guard because my definition (above) was either met with resistance or didn’t match the definition of my peers. Resistance was more or less in the form of views that it’s unorthodox and there’s no need to change. Definition mismatch was typically a comment that DevSecOps is only focused on automation in the Continuous Integration (CI) pipeline. Then there was the “we’re agile” camp where further discourse only led me to believe their definition of agile was askew.
Let’s talk about agility and DevOps. There’s plenty of confusion about DevOps in the world. It seems some organizations have renamed their Sys Admin teams DevOps and called it a day - that isn’t DevOps. My definition of DevOps is automating where possible and breaking down barriers where possible; Both in the pursuit of agility.
Why is agility so powerful? Let’s start with a case study. What makes Amazon so successful? I’d argue agility. Amazon tends to go into markets and compete on thin profit margins. Reducing cost isn’t the key to their success. Reducing cost while adding value (features) is where Amazon competes and it’s the adding value that is so disruptive.
Paul Graham advocates “getting into a design war” with a large company in his book Hackers and Painters. Why a large company? Their usually not agile. A smaller agile company can typically ship features faster than a larger company. Guess what a larger company has: An established “no” department.
Still with me? See the agility value? Wondering what it’s got to do with InfoSec? InfoSec has a reputation of blocking. We’re the “no” department. Most InfoSec departments have associated change with risk and for most InfoSec teams it’s easier to say no than guide a path.
I’d like to make the case, through this blog, that InfoSec can not only be the “yes” department, we can also improve agility while reducing risk. More to come…