ESG Blogs

Integrating, and thus automating, security via the continuous integration and delivery (CI/CD) processes of DevOps, an approach referred to as “DevSecOps,” is a topic that had, until somewhat recently, been discussed largely only at DevOps and cloud-specific forums and events. But DevSecOps is coming of age. The ongoing adoption of DevOps by enterprise organizations, and the growing interest in bringing security along for the ride, is getting the topic a bigger stage, with DevSecOps being presented in sessions at more mainstream events such as RSA Conference, the CISO Summit at Black Hat, and VMworld. The adoption of application containers and the Kubernetes environment that orchestrates their lifecycle across the build-ship-run continuum has also been a catalyst for CI/CD integrated security. Because DevSecOps starts with a cultural shift, leverages CI/CD methods, and requires purposeful controls, it is an amorphous concept not only hard to define, but challenging to make actionable.

This conversation with Doug Cahill examines the crucial - but all-too-often overlooked - necessity for cooperation between DevOps and Security teams. While there’s pretty much universal agreement that built-in security is better than bolted-on security, nonetheless the apparently (or at least potentially) competing objectives of DevOps (faster, faster, leaner) and Security (careful, careful, preclude risk) can appear to run counter to everyone’s desires. 

Hello dedicated readers! My blog is back from a restful week’s vacation on Cape Cod and ready to tackle the falling leaves, changing temperatures, and cybersecurity issues of Autumn.

Back in August, I wrote a few blogs about cybersecurity trends in small and mid-sized organizations (i.e. between 50 and 499 employees). The first blog looked at the state of cybersecurity at SMB firms and the second blog examined what they are doing to address these issues. 

Each year, ESG conducts a research project with the Information Systems Security Association (ISSA) on the mindset of cybersecurity professionals (the 2017 report is available here). As part of last year’s research, we asked respondents to identify the top actions their organizations should take in the future to improve cybersecurity. We then looked at this data based upon respondents’ roles, so we could look at the specific recommendations from CISOs (or other titles with equivalent job descriptions). 

Based upon this analysis:

Amidst the backdrop of a stated intent to relieve cybersecurity point tool fatigue by consolidating vendors, there is a lot of discussion, and confusion, around cybersecurity platforms. We’ve seen this before in both cybersecurity and other IT domains as products become features and products get aggregated into suites delivered on a platform comprised of a set of shared services.

In this video, my colleague Jon Oltsik and I share some of our thoughts from the recent CISO Summit at Black Hat 2018. While respecting the event’s Chatam House Rules that require us to keep CISO comments anonymous, we have a conversation about some of the takeaways from the panels and presentations at the event on central cybersecurity topics including:

We’ve seen an ongoing cybersecurity technology trend that goes something like this:

Recently, ESG completed its second annual enterprise-class cybersecurity vendor research. The story behind this project goes something like this: Enterprise organizations (i.e., those with 1,000 employees or more) have too many point tools and are now engaged in projects to integrate security technologies while eliminating some tools and vendors along the way.

Last week, I published a blog on the state of cybersecurity at small organizations. As a review, two-thirds of firms with 50 to 499 employees have experienced at least one cybersecurity incident over the past few years, leading to lost productivity and business disruptions. Survey respondents claim that the biggest contributing factors to these cybersecurity incidents include human error, a lack of knowledge about cyber risk, and new IT initiatives lacking proper cybersecurity oversight.

ESG recently completed a research survey of 400 cybersecurity and IT professionals working at small organizations (i.e., 50 to 499 employees) in North America. As you can imagine, these firms tend to have a small staff responsible for cybersecurity and IT, reporting to business management rather than CIOs or CISOs.