Practices like Agile or DevOps are not just introducing new tools and methodologies, but also social practices like changes in work procedures and different communication paradigms. This effects classic control-based tollgate security and privacy processes. These processes are often complex to grasp with little visible value, making it challenging to integrate in an Agile environment and difficult to automate. At Xebia we are convinced that this continuous changing interaction between people and technology has made security and privacy primarily a sociotechnical challenge. Xebia Security helps you optimize these interactions and find the right balance between innovation and resilience.
Our sociotechnical engineering approach consists of enabling three focus areas:
- Security organization
- Security culture
- Secure development lifecycle
Enabling security organization
A successful security transformation starts with breaking old routines and adopting new, desired behaviors. Key in this transformation is moving away from a strict top-down approach and empowering teams to become more autonomous. This approach requires a redesign of the security processes, guidance and support towards teams, and a clear vision on continuous improvement.
Enabling security culture
Transformation initiatives often focus on technology, KPIs, process, objectives, and organizational structure. While these are very relevant, achieving sustainable change requires continuously investing in people and culture. For security this means a mindset change. While security hardly ever directly creates revenue, it protects the company from revenue loss or reduction. Facilitating this mindset change requires a clear vision and strategy combined with continuous knowledge sharing.
Enabling secure SDLC
A modern secure software development lifecycle should focus on automation, sustainability, scalability, and autonomy and be based on industry standards and best practices. Required policies and processes should be mapped to the development lifecycle and implemented with the least amount of disruption.
The key to success is actively involving key team members and providing the necessary knowledge and tools to do their day-to-day work securely. A ‘people first’ approach to your security process will increase the chances of its success.