Strategic Sports Boards Preparing For A Soccer Match.
Stuart Gunter Principal Consultant

Our Thinking Tue 14th January, 2020

Cybersecurity Strategy and the Secure Delivery Playbook

Security teams are under increasing strain due to a disconnect between the traditional operating models and those of agile delivery teams. It’s very useful having a playbook that engineering and security teams can use in day-to-day delivery, but how does it fit into your wider security strategy? Is this just a resource for security and delivery teams, or does it have a place on the CISO’s desk?

In producing our Secure Delivery Playbook (SDP), we focused on core principles and practices that ensure cybersecurity is efficiently and effectively addressed within continuous delivery. In the few short months since its publication, we’ve received a lot of very positive feedback from both the DevSecOps community and a number of our clients. Our approach resonates with people responsible for delivering secure outcomes for their teams and organisations. This comes as no surprise, as we’ve seen that many organisations are facing this challenge as they embark on large-scale digital transformation programmes and undergo substantial changes to their ways of working.

But how does it fit into the wider cybersecurity strategy?

Translating strategy into action

Cybersecurity strategy is undoubtedly the driving force that directs all security efforts across the organisation. A strong, forward-thinking strategy channels everyone’s efforts towards positive outcomes. The SDP complements this strategy by providing a translation for engineering teams, helping them understand how to practically apply security within their context while aligning to the strategy.

A popular framework for managing cybersecurity risk is the NIST Cybersecurity Framework (CSF). While this provides an excellent high-level structure for organising and responding to risk, it doesn’t specifically address how a software delivery team might achieve those outcomes. You wouldn’t be able to give delivery teams a copy of the CSF and expect them to know how that influences their day to day work.

However, the SDP is an effective way to map and translate high-level frameworks, like the NIST CSF, into actionable practices that teams can adopt.

Scaling to meet demand

Providing practical guidance to teams is critical to success, but the SDP goes even further than this. It also addresses one of the constant challenges in cybersecurity: how to meet the demand for high quality security expertise across a large organisation, while operating with limited capacity.

The structure of the SDP reflects an operating model we’ve found to be successful in addressing this challenge: Organise, Build & Operate. This is particularly well aligned to the You Build It, You Run It approach popularised by Amazon, and scales by fanning out as larger delivery programmes require greater and more specialised support.

The fan-out model sees multiple Organise teams operating at different levels in the organisation. Centrally, the Organise team continues to provide the same services across the business, but larger delivery programmes also provide their own ‘in-house’ Organise team as a local enabler team.

This is commonly observed in digital transformation programmes, where a large number of teams are invested in a single platform, often built upon one of the major cloud providers. Having their own Organise capability within the boundaries of their delivery programme helps increase the speed of delivery through native security solutions tailored to their context. It also provides a feedback mechanism into the central Organise capability, allowing the all-important view of cybersecurity risk across the entire organisation.

These programmes often create ‘shadow IT’, and we should expect ‘shadow security’ to follow closely behind if we don’t provide a better alternative. The way to address this is not to tighten the grip of central security, but to provide a new operating model that explicitly acknowledges and supports this new world.

In my next blog post, I’ll provide a more detailed explanation showing how this scalability can be achieved within the structures of the SDP.

Leveraging the SDP at all levels

Hopefully you’ve seen how the SDP is designed to address needs at many levels. For security and product engineering teams, it provides practical guidance on how to apply to security in their day to day work. For senior leadership, it provides an operating model that directly addresses the scalability and accountability structures necessary to support large organisations.

We hope you find the playbook to be a valuable addition to your toolkit. Need help applying these practices in your organisation? Get in touch!