In the previous chapters, we discussed enabling the fast flow of work from check-in to release, as well as creating the reciprocal fast flow of feedback. We explored the cultural rituals that reinforce the acceleration of organizational learning and amplification of weak failure signals that help us create an ever safer system of work.
In Part VI, we further extend these activities so that we not only achieve Development and Operations goals, but also simultaneously achieve Information Security goals, helping us create a high degree of assurance around the confidentiality, integrity, and availability of our services and data.
Instead of inspecting security into our product at the end of the process, we will create and integrate security controls into the daily work of Development and Operations, so that security is part of everyone’s job, every day. Ideally, this work will be automated and put into our deployment pipeline. Furthermore, we will augment our manual practices, acceptances, and approval processes with automated controls, relying less on controls such as separation of duties and change approval processes.
By automating these activities, we can generate evidence on demand to demonstrate that our controls are operating effectively, whether to auditors, assessors, or anyone else working in our value stream.
In the end, we will not only improve security, but also create processes that are easier to audit and that attest to the effectiveness of controls, in support of compliance with regulatory and contractual obligations. We do this by:
When we integrate security work into everyone’s daily work, making it everyone’s responsibility, we help the organization have better security. Better security means that we are defensible and sensible with our data. It means that we are reliable and have business continuity by being more available and more capable of easily recovering from issues. We are also able to overcome security problems before they cause catastrophic results, and we can increase the predictability of our systems. And, perhaps most importantly, we can secure our systems and data better than ever.