Improve Cybersecurity companywide
In October 2019, Xebia was asked to help the Dutch railway company, NS, to make Cyber Security part of its Agile transformation. To discover what Agile and DevOps means for Cybersecurity, Anne-Sophie Teunissen (Security Consultant at Xebia) used ten months to guide the company's Information Risk Management Team through three essential steps: Creating an Agile Manifesto, a DevOps Playbook and sharing knowledge to raise the level of Security Awareness.
Make Cybersecurity part of Agile/DevOps Transformation
Increase Awareness and Boost Autonomy
Sharing Knowledge and Offering Guidance
Nederlandse Spoorwegen (NS) is a Dutch state-owned company, the Netherlands' leading railway operator. Did you know that the Dutch railway is the busiest in the EU and the third busiest in the world? Its operations are magnificent; every day, 24,000 employees ensure people can travel from one point to another by train.
To create a more flexible and modern way of working, NS is currently in the middle of an Agile and DevOps transformation, a change that impacts all aspects of the business. Regarding security, NS was looking for a way to make Cybersecurity a part of its transformation. Together with Xebia’s Anne-Sophie Teunissen, the company’s knowledge level was boosted and a behavioral change was sparked!
A lot of the work Xebia does is centered around technology. As needs change, so does technology. Still, an essential part of any change is behavior. There's more to a Digital Transformation than presenting a new methodology or framework or asking people to work with tool X instead of Y. NS is a large organization, and introducing an Agile and DevOps way of working impacts everyone. Xebia helped the company's Information Risk Management (IRM) team deepen its understanding of Cybersecurity in an Agile setting, raise awareness throughout the entire business, and ultimately, transform every NS employee's behavior accordingly.
One of the first documents the IRM team created with Anne-Sophie was an Agile Manifesto, a code of conduct. It contains a detailed description of the old (waterfall) and new (Agile/DevOps) behavior. Every department has its unique document, as changing your strategy has different implications for different teams. The Manifesto's primary goal is to contrast the ways of working as concretely as possible to determine what impact Agile and DevOps have on security.
"IT is becoming a larger part of our business. As our business is transforming, we need to clarify to all 24,000 employees what this shift means for using IT daily. Especially because the change is not just a behavioral one - it has a large IT component too - having a document that provides insight into both is very helpful. You can constantly review it to check if you are still on the right track." - Lies Alderlieste, Chief Information Security Officer & Manager Information Risk Management Team NS.
In addition to the Agile Manifesto, a DevOps Playbook was created. This document is primarily intended for Developers and teaches them how to work safely according to the DevOps methodology. Like the Manifesto, the Playbook aims at letting people see for themselves why certain activities are risky. It contains gamification elements and various scenarios with which employees can then get to work themselves. DevOps is mainly focused on improving the collaboration between the development teams and the management teams, allowing you to bring your products from the production environment to the live environment in less time. The Playbook helps both developers and administrators do this in a more secure, autonomous, and Agile way.
"I like to compare this part of the journey to obtaining your driver's license. The Playbook contains all lessons; everything you need to know before you hit the road, you can find here. Previously, a Security officer's role might have resembled that of a police officer, telling you what you could and could not do, for example, driving faster than 120 km per hour. Agile and DevOps place a great part of this responsibility on our employees themselves. We explain why it is safer not to drive faster than 120 km per hour by describing the risks. After that, it's up to you to make the choices you perceive to be the best." - Lies Alderlieste, Chief Information Security Officer & Manager Information Risk Management Team NS.
Finally, Anne-Sophie provided the NS with insights into the new roles and responsibilities of an Agile/DevOps organization as part of the Target Operating Model, describing the 'as is' and the 'to be' for people, processes, and technology. One of the main parts of the model was knowledge.
"Anne-Sophie shared so much of her knowledge with us. Our team was surprised by her expertise. As the end of our collaboration neared, some even wondered how we would proceed without her. Anne-Sophie left us with detailed advice on how to continue the process we have set in motion together, including suggestions for training courses that will further support our teams. - Working in an Agile and DevOps way places more responsibility on the individual, and getting our knowledge level on-par is part of that process." - Lies Alderlieste, Chief Information Security Officer & Manager Information Risk Management Team NS.
The fast deployment of products and services is key to running a successful business. For innovation to flourish, security needs to be covered from the start, instantly, and continuously.
Today’s changing world requires the critical and aware customer to put security high on the agenda. Xebia Security offers security services to top companies that accelerate and innovate by using modern secure software development methods.