Discussion about this post

User's avatar
James Kaplan's avatar

Setting: a conference room at a large financial institution, circa 2013

The players: head of infrastructure engineering, Business Unit CIO, me (watching bemusedly)

Head of engineering: < explains DevOps >

BU CIO: so we'll get developer access to production again? Awesome!

Head of engineering: I don't thats...

Me: rubbing forehead in a futile attempt to fend off an impending headache

DevOps/SRE (combined with platform engineering!) definitely the way forward

DevOps without platform engineering is just a mess

Atul's avatar

Really found it intriguing the statement - CISO job wasn’t to eliminate or even necessarily reduce risk but to help business leaders take intelligent technology risks, justified by likely business value.

It puts security as business enabler facilitating growth by quantifying the relationship between technology risk and business value. Partnering closely with executive functions.

Balancing resilience with business agility.

The company doesn't exist to be secure, it exists to generate revenue.

The CIACD framing raised a question for me about conflating concerns.

CIA is achieved through well-understood patterns and architectures, while deployment is fundamentally an engineering and operational discipline (DevSecOps/SRE/Platform-engineering). In my view, explicitly separating these concerns while tightly governing their interfaces helps.

For e.g. clear SLIs/SLOs (99.999% availability --> ~5mins unplanned downtime annually) while keeping deployment squarely in engineering/DevSecOps can achieve the outcome. Though I’d be interested in your perspective on when tighter unification works better.

1 more comment...

No posts

Ready for more?