CSA Measure, Monitor, Report, and Action
The implementation and maintenance of DevSecOps initiatives can take anywhere from a few months to several years to implement. Therefore, continuous measurement is essential when attempting to understand what changes have occurred in people, processes, and tooling. Without actionable DevSecOps metrics and observability, teams cannot measure performance, understand progress, replicate success, or recognize failures. These characteristics are essential for establishing a robust security posture. This publication discusses how measuring, monitoring, and reporting are crucial for understanding and improving security practices within software development lifecycles. DevOps teams of all maturity levels will learn how to turn security metrics into reportable and observable data.
Introduction
The implementation and maintenance of DevSecOps initiatives can take anywhere from a few months to years to implement. The continuous measurement of DevSecOps success and failure is the key differentiator when considering the wholesale change in people, processes, and tooling. The saying “you can’t manage what you don’t measure” has never been more true. Without actionable metrics and observability to measure performance, progress cannot be understood, success cannot be replicated, and failures cannot be recognized. The ability to measure, monitor, report, and action are essential features of any successful security program to support effective decision-making. In this paper, we explore:
Making data observable: Turning security data and metrics into observable data
Scenario-based review: The concept of security observability applied to high and low performing teams
Improvement through reporting: Where to start on your security observability reporting journey
Key Takeaways
Implementing security into any digital project or organization is no easy feat. Businesses, incentivized to make money, are often pushing to release features faster, with market share at stake. The design and build of infrastructure and applications are measured against a complementary metric — performance (i.e., speed to deploy, time taken to create feature, time to test) — often a great fit to measure against business goals. Security, in contrast, very effectively measures success by compliance rather than performance. The ability to improve a security function often leads to teams/products becoming more compliant. Compliance and performance can sometimes be opposing forces that require a delicate balance to avoid the perception that “security is a blocker.” This paper provides empirical evidence that three critical aspects of security and DevSecOps can be effectively evaluated using performance metrics. We calculate how well projects/organizations are doing on their ability to manage vulnerabilities, architect secure services, and respond to incidents, providing security observability. Security observability provides an effective measurement for business leaders to inform them of security efficiencies and performance and, most importantly, where further investment and change are required.
How to make vulnerability, security architecture, and incident response data observable and actionable
How varying levels of DevSecOps maturity impact security observability and response
The importance of continuous measurement
How to enhance DevOps observability through reporting, including making data accessible, highlighting areas of opportunity, driving continuous improvement, and encouraging communication and collaboration
