Outnumbered, outgunned but never outsmarted: DevSecOps levies
I have yet to work in an environment where I get all the budget and people hours I want. Where the customers wait nicely for the last campaign to die down before having issues and the attackers respect days off and conferences.
Hiring in cyber is hard, water is wet and DCs need climate control. Now that we're done with platitudes, here's the rule I have used with great success in my teams:
- design your security observability so it overlaps with metrics other teams already care about. Over time it allowed me to build dashboards and alerts that always had eyes on them, beyond the security team and that created tangible value to other business functions.
You know you're there when a Dev, Ops or Marketing person hits you up on Slack/teams/carrier pigeon with 'Hey, I was looking at X graph and I think there's something weird, can't put my finger on it, would you give me your thoughts?'
Last time it happened we uncovered a credential stuffing campaign that had managed to remain below 3 standard deviations on most of our statistics-based alerts. Uncovered by a senior dev that wasn't even that much into security but who would guard their SLAs with the fighting spirit of a mama bear.
That's when you know it's working.