3 Comments
User's avatar
James Kaplan's avatar

Setting: a conference room at a large financial institution, circa 2013

The players: head of infrastructure engineering, Business Unit CIO, me (watching bemusedly)

Head of engineering: < explains DevOps >

BU CIO: so we'll get developer access to production again? Awesome!

Head of engineering: I don't thats...

Me: rubbing forehead in a futile attempt to fend off an impending headache

DevOps/SRE (combined with platform engineering!) definitely the way forward

DevOps without platform engineering is just a mess

Atul's avatar

Really found it intriguing the statement - CISO job wasn’t to eliminate or even necessarily reduce risk but to help business leaders take intelligent technology risks, justified by likely business value.

It puts security as business enabler facilitating growth by quantifying the relationship between technology risk and business value. Partnering closely with executive functions.

Balancing resilience with business agility.

The company doesn't exist to be secure, it exists to generate revenue.

The CIACD framing raised a question for me about conflating concerns.

CIA is achieved through well-understood patterns and architectures, while deployment is fundamentally an engineering and operational discipline (DevSecOps/SRE/Platform-engineering). In my view, explicitly separating these concerns while tightly governing their interfaces helps.

For e.g. clear SLIs/SLOs (99.999% availability --> ~5mins unplanned downtime annually) while keeping deployment squarely in engineering/DevSecOps can achieve the outcome. Though I’d be interested in your perspective on when tighter unification works better.

User's avatar
Comment removed
Dec 18
Comment removed
James Kaplan's avatar

One nuance to my earlier statement:

Years ago I read that customers of a retail bank couldn’t access the on-line portal because of a DDoS attack. I happened to know the CISO from various industry events so I sent over a note along the lines of “sounds like a tough day with the DDoS attack.”

The CISO called me back

There was no DDoS attack

Somebody has misconfigured a router taking down the on-line portal

The local newspaper reported the event as a DDoS attack without confirmation

Corporate comms decided not to correct the newspaper on the theory that a DDoS attack sounded less embarrassing than fouling up a software update on a router.