Talk round-up from 'Securing The Cloud: DevOps Best Practices for Secure Operations'
Shaojing Elfin Lee, Cyber Security Lead @ giffgaff UK
Having over 5 years of experience working within Cyber Security, from High-level consultancies to working in Tech Start-Ups, we had the amazing Shaojing Elfin lei to offer a different perspective on Embedding Security into a Business from her experiences / challenges / successes on embedding Security into DevOps alongside an organisation by shifting the internal culture.
Shaojing has a passion for Security and is always looking to give back to her community volunteering on various initiatives to inspire people getting into Cyber Security such as: Women in Cyber & Cyber First School mentorship to name a few.
Challenges within the organisation?
As a challenger within the Telecommunication space, giffgaff are paving the way for industry standard offering their ‘Members’ cheaper, fairer, and simpler communication services underlined by the giffgaff name and motto meaning “Mutual giving and Fair Exchange.”
So why not within Security?
With over 50% of the workforce compromises within Tech, giffgaff are ahead of their counterparts within the Tech Space focusing on Cloud native applications and innovative technologies with the DevOps team having completed their digital transformation over to the Cloud before Shaojing had even joined.
With only 1 person working within security when she joined this time last year it was clear to see that Security had been siloed during this transformation. With a frightened outlook across the business (not just within Tech) towards security, there were clear gaps with the designed DevOps processes underpinning the giffgaff platform with security being left behind for production speed and quality being the priority. There was a clear lack of resources, training and understanding of security protocols and the importance across the platform and company.
So how does one go about changing Security processes within a company and adopting a Culture Shift?
Defence in depths or as Shaojing explains the “Swiss Cheese Model” is an important process for Security Engineers and Tech Teams alike to follow to offer the best practices across Security. By layering different types of controls into environments, phases and processes we can only better the chances against a Security breach across the systems. Plan and design and code committal – close this gap and then look after the other areas and built out areas to close the gaps.
What is the easiest to change? Process looks easiest and is internal and can make it how you want but can be very difficult as it requires lots of knowledge around tooling and things you want to implement.
1️⃣ Evaluate technology and Tech Stacks and identify how their teams are interacting with these tools and including the platform teams an dhow they’re providing support to the wide teams / platform. (Building in Security Reviews manually) running through types of vulnerabilities with teams and why is this important to you and how it impacts their daily products in a general state. How we engage with people more and spread the passion and awareness for people to come together regarding security. “Unification is Power”
2️⃣ Security Champions program – you need to start a proper role spec and engage them with workshops, seminars, feedback session etc. (Focus this and gather everyone together showcasing simulations internal and external speakers in the office with different case studies of executing this project what could happen? Turning Point for Security.
3️⃣ Hosting tournament across teams pairing up on different projects setting competition and who can resolve the most vulnerabilities in 1 day. More about Engagements and how we can work with different teams together to make production environment more secure officially.
4️⃣ Build out Security team to bounce ideas off with people.
👉 Vulnerabilities would take over a year to be looked at and solved – with the 24hour competition 200+ vulnerabilities were solved during this peak. As a result, the teams were now embedding Security practices into their everyday work patterns and instead of having to chase every relevant team for critical fixes the teams were notifying the Security team that vulnerabilities had already been remediated before any issues were announced !!!
👉 By creating the Security Champions Program with 5 people signed up initially they grew this out to other 36 Signups for the tournaments throughout the year with over 80 people turning up to their breakfast workshops and sessions.
👉 Having been initially questioned and doubted about her role and the importance of Security within the business by Teams and Stakeholders being asked: Why? Why? Why? Now she is not only no longer questioned, but teams will now come directly to her asking for information and her involvement on projects when it comes to their changes / initiatives within Security.
To hear more about Shaojing's talk and to watch the full recording, head over to our YouTube 🚀