Security is one of the process blades of Disciplined DevOps and Disciplined Agile IT (DAIT). The focus of the Security process blade is to describe how to protect your organization from both information/virtual and physical threats. This includes procedures for security governance, identity and access management, vulnerability management, security policy management, incident response, and vulnerability management. As you would expect these policies will affect your organization’s strategies around change management, disaster recovery and business continuity, solution delivery, and vendor management. For security to be effective it has to be a fundamental aspect of your organizational culture.
Why is Security Important?
Why is security important? Because security breaches can be devastating. Here are just a few examples:
- In January 2009 it was found that Heartland, a company that processed 100 million credit card transactions a month, had been breached via SQL injection in March 2008. Found to be out of compliance with the PCI DSS security standards, they were not allowed to process the transactions of major credit card vendors until May 2009 and they had to pay out $145 million to cover fraudulent transactions.
- The November 2013 security breach at Target where the personal information of 70 million customers was compromised, the cost of the breach was $162 million, and the CEO was motivated to resign.
- The March 2015 security breach of Slack‘s database where 500,000 emails and other personal account information was stolen.
- The October 2015 breach of Experian/T-Mobile where the personal data of 15 million was exposed.
- And of course the 33,000 emails obtained by Russian hackers from Hillary Clinton’s email server.
The following strategies enable you to optimize your Security activities:
- Collaborative work with the teams. Security engineers will be invited to work with delivery teams to review their work for security concerns at the earliest feasible moment and in some cases to help them to secure critical aspects of their solutions.
- Support common security infrastructure. Security engineers will help teams to identify and adopt appropriate security tooling and frameworks. They develop and evolve security guidance for your organization.
- Skills transfer. Providing people with coaching and training in security will help to build security awareness within your organization. Security training should be provided to all members of your organization, with deeper training and education provided to IT staff who are directly involved with development or operations of secure systems.
- Collaborate with other organizations. Within the security community there is constant sharing of information between organizations, including education about new security threats and new mitigation strategies.