Does this sound familiar? You forward a big spreadsheet containing all kinds of security operations numbers to your management team to demonstrate your team’s value, but management is left on their own to make heads or tails of what you’ve sent. As you press “send,” you can almost hear the loud sighs coming from managements’ offices.

Half of your brain is telling you that providing metrics about the value of security operations is positive. The other half is saying that very few people outside of security both understand and appreciate what you’ve demonstrated on that spreadsheet.

Security isn’t the only department that encounters these situations, but often our teams are so mired in “how we’ve always done things” that we forget there are tools and processes that can alleviate friction and allow us to share our achievements with other parts of the business. Adopting new processes is a shift with a learning curve, but it’s well worth the effort.

Let’s talk about what that might help alleviate those sighs and actually further your security operations.

Separating buzzwords from business assets

Another term, “Agile,” is layered on top of DevOps, and seems to fit in but is completely different. The trends lingo landscape is now nearly complete…and foggy.

Let’s take a step back and describe key differences between DevOps/DevSecOps and Agile. Wikipedia is something I don’t quote as a source often, but in this case, it is a reliable source of a definition.  “DevOps” (clipped compound of “softwareDevelopment” and “information technologyOPerationS”) is a term used to refer to a set of practices that emphasize the collaboration and communication of both software developers and information technology(IT) professionals while automating the process of software delivery and infrastructure changes.It aims at establishing a culture and environment where building, testing, and releasing software can happen rapidly, frequently, and more reliably.”

So then, what is DevSecOps? The short version is that it’s DevOps with security inserted into the process. Soooooo, what the heck is Agile then, and how does it fit? Agile is a core driver in DevOps; to keep pace with business needs, developers have started writing iterations of their code at blinding speeds. As a result, improved coordination between development and operations is needed to allow developers to deliver the code. The Agile approach is a type of project management that was created to facilitate quicker, smoother collaboration through incremental and continuous feedback loops.

Have I truly confused you yet?

How, then, do security operations run better with Agile? DevOps, DevSecOps, and Agile all imply pretty big changes to your organization.

DevOps and DevSecOps come into play if your organization is focused on delivering code on a regular basis. If you pivot into managing just security operations, though, implementing either DevOps or DevSecOps would be like trying to build a brand-new culture that you just don’t have time for (and might not be necessary since software development isn’t part of your daily operations). Agile is part of the code development realm as well, but it applies to other processes outside of the development life cycle, and organizations can adopt pieces of Agile and apply them to make the security operations team more efficient and more measurable as well.

If we can finally get the measuring part right in infosec then we can show our value and make bigger impacts!

An example

Here’s a use case from my own experience: At my organization, I wanted to not only be able to track and report my team’s progress on their projects, but also provide an easy visual presentation for our team to look at so that we all understood what any employee is doing that week. We decided to use a Kanban board. Not only does it help to provide status, but it can easily help generate conversation about and options for any roadblocks that team members encounter.

Introducing the board fosters collaboration, idea sharing, and helps employees accomplish tasks much quicker than without it. It also provides me with measurable progress about my team and my team’s activities that can then be reported to management (in clear and concise terms, without the sighing).

When applied properly, looking at Agile through a security operations lens can pay large dividends and help eliminate some of the confusion or pushback you receive from management.  


Kristy Westphal is a versatile information technology professional of 24 years with specific experience in providing advisory and management services in the area of information security and risk is currently employed as the Senior Manager of Security Tools at Charles Schwab. She has previously worked as the Director, Risk and Assurance with Vantiv and Director, Security Operations for T-Systems North America. 

Kristy will present Running Security Operations Agilely - Without Tripping at Cyber Security World on Thursday, June 29, 2017.