Talking DevSecOps on the CISO Series Podcast

When GigaOm VP of Research Jon Collins published his latest report, “GigaOm Radar for Evaluating DevSecOps Tools,” it kicked off a discussion on the popular CISO/Security Vendor Relationship Podcast co-hosted by David Spark and Mike Johnson. In that podcast, available here, Spark and Johnson discussed the report with Doug Cahill, vice president and group director of cybersecurity at Enterprise Strategy Group.

Cahill talked about Collins’ approach to evaluating the DevSecOps tool space and the dynamics involved in assessing and selecting DevSecOps solutions. As Cahill noted, modern application development is all about “agility and moving quickly—it’s continuous everything.” And in that context, Cahill said, security needs to be integrated into every phase of the application lifecycle—something DevSecOps solutions are designed to do.

“A lot of traditional cybersecurity controls don’t integrate natively into build tools like Jenkins or they don’t provide alerts vis a vis Jenkins PagerDuty in Slack, they may not open a ticket automatically in Jira, they may not have the ability to assign a policy by integrating with orchestration tools like Jenkins or Kubernetes,” Cahill explains. “That’s just a short list of the types of tools that those teams use. The controls have to snap in, they have to support those types of environments. You get less friction and the result is you can automate security by integration with those tools.”

Spark noted that the Radar report and related “Key Criteria for Evaluating DevSecOps” report provide a framework for decision making, defining selection criteria and evaluation metrics to assess solutions. Johnson weighed in with his thoughts on the approach.

“I looked at the report and I was really impressed with the framework. I don’t have this finely crafted of a framework,” Johnson told Spark during the podcast. “I look for fit with purpose. What is the problem that I am trying to solve or the set of problems I am trying to solve.”

One aspect of the reports that stood out to Johnson was the emphasis of ROI in DevSecOps. ROI is not often weighed as a critical decision factor in security solutions, Johnson said, but he found that Collins offered a compelling angle that can help organizations assess the efficiency and value of tools.

“They actually had a really good definition here, which was ‘Gains of the tooling significantly outweigh the costs and overhead of using it,’” Johnson said. “So it’s not saying it’s going to save you X amount of dollars. “It’s helping you answer [the question], ‘Is it worth it?’.