Practice Makes Business Better

Cormac Brady
February 8, 2022

In today's digitally enabled global economy, our ability to innovate and deliver customer value quicker and more cost-effectively has never been easier. What has become more challenging is keeping up with the never-ending volume of security threats and regulatory demands. It’s not that there were no threats or regulations in the past. It’s just that perpetrators today have unfettered access to technology, which makes it far easier to pose a threat.

It’s a bit like playing whack-a-mole at carnivals. As soon as you knock one down, others appear.

Thankfully, the evolution of DevOps to DevSecOps helps mitigate cyber risks considerably, wherein you can be confident that no matter how many moles appear, you have a fighting chance. This collaboration across specialist functions has seen teams pragmatically leverage a long list of tool choices in their engineering, enhancing their development & delivery practices with hardened compute instances, SAST, DAST, and penetration testing. It has also given rise to a whole new industry dedicated to finding application vulnerabilities.

It’s gained so much momentum and importance that rating agencies such as S&P and Moodys are now leveraging vulnerability scores of publicly traded companies evaluated by firms like BitSight.

While these are commendable advancements in arresting risk, companies are not entirely immune to it. They’re simply in a better position than most to avoid being exposed to known vulnerabilities. Yet, the perception of risk is different. With the fast adoption of agile and cloud services, which have some of the best security practices baked in, our teams are under the impression that they are safe. The reality is the opposite, as these teams will face new threats in the future that they have had little exposure to.

This is where the emerging practice of DevSecOps shines. It drives familiarity and develops trust between teams, enabling them to operate and execute decisively and purposefully during a crisis. This trust is developed over time and can be deepened through disciplined and regularly scheduled game days.

An often-overlooked discipline in DevSecOps, game days are entire days focusing on readiness drills, where we tease out gaps in our processes, identify false assumptions, and subsequently take steps to close those gaps.

So, how do game days work? A service team (an application team inclusive of all relevant disciplines) is presented with scenarios that they diligently walk through, outlining how and what they would do in each situation.

Game days can begin with some basic practices and get more advanced with time. A good first game day for a team would be to practice a failover event, test your system resilience, and determine your dependencies or architecture failures or gaps well ahead in time.

More advanced game days should evolve to practicing a ransomware event where there’s participation from legal counsel, cyber insurance, the communications department, law enforcement teams (potentially), and many more. Simulating and rehearsing complex situations with a wide range of stakeholders and departments reinforce the importance of time and decisive action, which are critical to business continuity.

It also helps with preparedness. In the event of a major crisis, you would not want to waste time figuring out if you have cyber insurance or hunt for efficient legal counsel. The feedback loop from these game days is incredibly valuable to your application design and operating model.

Practice makes business better.

Familiarity with everyone's role and who does what in a crisis allows you to make faster, better decisions and speedy business recovery. That demands a disciplined team that functions like a well-oiled machine. It’s an impressive entity that can make a big impression on a customer even in a crisis.

Senior Technology Executive, DE&I champion