DevSecOps Leadership: Zero To Hero

um good morning everyone thank you for choosing to come to my tour uh there are a couple of different tracks going so I really appreciate that you're here listening to me um my name is Seb I'm head of application security at lrqa um my job is all around product security uh so I work with software Engineers I partner with engineering functions um I change how they work I introduce tooling add education change processes and my job's all about trying to create a secure product one that protects customer data but one that stays up uh in the face of adversity uh on the internet before lrqa I was senior engineering manager at clearbank where I was looking after the security platform

teams and before that I worked at veric code uh they are Gartner leader and application security testing and I was a consultant with them um that is a LinkedIn QR code please feel free to scan it add me um if anything that I talk about today resonates with you I'd love to hear from you to take the conversation further uh equally if you're not happy with anything I talk about today I'd love to hear from you too um brilliant so um I'm an engineer by trade I started off my my career's uh software developer working with net working with a um but a few years ago I got this this opportunity came up um so my my

background software development quite good at building things um but I'm also quite good at breaking things I had I I grew up in a place called Kess has anyone been to Kess anyone heard of K okay Kate s right so you've all heard of Mordor right if they had just kept going just past M they'd have got to kth Ness kth Ness is at the very top of Scotland there's not a lot going on there my closest cinema was 4 hours away on the train both ways um so I grew up with computers uh and I grew up with capture the flags and I had a bit of a misspent youth um much of the

skills you learn as a pentester I had as a teen um and that gave me an advantage I guess as a software developer I could build things I could break things and I had a good Niche for myself um but I was I got this opportunity to do what we call now a Dev SE Dev SEC Ops transformation um or really what's better called a change program um and I got to work with eight teams and I was trying to change how they worked try to look at the sdlc as a system can I inject something here can I add some education there change some process here and build a secure product in the first

place uh and and I really really enjoyed that um so and what I I guess what I found doing that I've been doing that for several years now is application security is very much a people uh a people problem I've seen it enough times now that I can give uh two teams they can have the same tools same processes totally different outcomes um one team they they will smash it they will they will own their security their e the ethos is there the culture is there that they they want when they go to a pentest they expect to find nothing okay that's what that's what they like but other teams they they don't get it they ethos

is not there so they dodged the tools they turned the tools off they don't tell you um not quite right so what what's different well it's EOS it's culture uh and that's I guess that that opened up a field of study for me um and it wasn't until a few years later when I was working at Clark's uh famous Sho company um and I was working at the time with the VP of engineering his name was Victor uh and he sat me down and he told me Seb you've got a talent for change management and I thought how can you have a talent for itel what um and and little did I know is that it managed to

steal this phrase from a much uh well researched uh topic of organizational change how you change cultures how you change people uh and the reason that I want to talk about that today is because maybe some of you have a talent to change management you've just never been introduced to it so this is this is your introduction um so just to set the scene I want to talk about what I see as the hardest problem so many of you in the crowd today are going to be part of what I call the find Camp okay your pentesters your red teams your security analysts your you might be part of the variety of security vendor tooling that

we have okay SAS Das dasas SCA synapse all I mean every every year new Acron New Market so we become a new market leader in something uh lots and lots of tools and your job is to find flaws okay and that's very satisfying it's got a very quick feedback loop okay it's very technical it's a technical Pursuit now a smaller proportion of you are now part of what I call the fix camp now that could be developers that could be infrastructure Engineers doing the patching but it's also the GRC people among us or the the managers your job is not only to is to take that find but convince somebody to fix it and that

gets a lot harder okay now we're talking about governance we're talking about compliance we're talking about risk and priorities we could be talking about cost can we afford to fix it is it worth it and now we've got softer blends of skills stakeholder management all that kind of things come into play tougher job and then even smaller part of you smaller part of the crowd are going to be part of what I call the prevent camp and this is my Camp so this is now level a step ahead how do we change the culture in the team the ethos so that they can Embrace Security in a prevent world we have the Tooling in play we

catch things quicker faster and fix them easier in a prevent world we have more advanced practices like threat modeling and developers can run them themselves this is a good world to be in but it's very very hard to get to uh and that's what want to talk about today so I'm going to talk about three things one is road maps so um I said I do def cops transformation so I'm usually in at the start we got a bunch of engineering teams who want to change how they work I come at the start so I'll talk about my general plans for that kind of thing uh and I want to talk I want also want to

bring in some of the science uh so you you'll see some science you very little of what I'm talking today I've made up uh I just take research from other areas and blend it into devop so and introduce you to that literature um I'm also going to talk a bit about sustainability and succession planning uh one of the hardest things with with change management is to keep a change going uh and my response to that is to try and develop leaders to try and uh enable opportunities to promote people into junior management positions and develop them as managers so that they can be the flag bearers lead the way keep the change going um and the last one I want

to talk to and this one's a little bit my mind so we'll see how it goes uh but it's really around growth and what I call entrepreneurship how you can grow a function to get more resources to get more influence not Empire Building entrepreneurship I'll talk about that in a bit um so for a def cops transformation I'm usually looking at a 2 to threee Horizon for the change uh why is it 2 to three years that really comes down to the mix of people in an organization uh when you're starting a change program you're going to have a percentage of people who are going to support your change they're they're on board they're drinking the same Kool-Aid as you okay

but there's going to be another section you don't like Kool-Aid uh they they don't like the change okay and you're going to have a Big W of people in the m in the middle who are quite agnostic the reason we're looking for teach three years is because the annual turnover in staff is actually about 10% so every year of this change program I will get 10% of new people coming into the organization and as long as I can capture them show them what the world should look like and they believe it looks like that they will be part of my change uh so that's generally why it takes two to three years to get a

cultural change in organization um now the top layer we're talking about security posture a lot of you are going to see these things think oh yes I've seen that I might have done that and that is around improving the posture of an organization generally starts with an assessment stage that writing is not too small right you can read that um there's generally an assessment stage and there are some very very good mature Frameworks out there for assessing security for in the sdlc and for teams okay OS have Sam security Assurance maturity model very very good we've got nist secure development framework n SDF slightly newer fits very well with the N framework my favorite is

B Sim has anyone heard of Bim field security IM maturity model no one at all very it's about 13 years old actually um very good framework for assessing the maturity of a team for for secure development it's curated by synopsis some of you might have heard of synopsis they're quite popular as vendors yeah seen a couple of modding head I like I like B Sim mostly because the material that synopsis produced very professional I'm quite happy talking a CTO through that material um they also have benchmarking uh industry benchmarking data so I'm able to assess a team and say well really for your industry you should be overhit uh which again is very good for convincing people

why something is important or how far how far we might be behind um after then I will then lean into people focused initiatives and that usually starts with developer security training at some point I am going to bring in a static analysis tool and a tool Cloud security posture management I am going to bring that stuff in but if I haven't I haven't taught people the language of these tools they're not going to understand what tool is telling them uh and if you're told a bunch of things you don't understand you will dismiss it as noise so you have to start with education okay bring in no before or hacksplaining or one of these other

partners teach people before you give them the Tool uh I will then look to a mature tool um the reason for this is because I want to get an easy metric on the security health of my estate static analysis is very good for this I can plug into a source code management system and get a very quick handle on a on a metric of security health that's very handy and will become part of my reporting part of my return on investment part of being being able to prove that the world is getting better but you might choose Cloud security poster management a word of warning don't pick them all that's just too much noise and

you'll spend all your time aggregating data that's not very good just do one and do it well um there will undoubtedly be uh and also please please don't take this road map and copy and paste it into your own I'm really trying to portray the order of things that I'm trying to do stuff start with education get an automated security metric the next one I'll start looking more at perimiter defenses because no doubt you're in an organization especially if they've been there for five or more years you're going to find stuff you're lifting up carpets oh there's things we have to fix um stuff like web application firewalls they're actually very versatile um not just for

you know preventing common web applications but if I parts of my estate that I can't fix easily might be Legacy it's packages we can't update stuff like wa they actually give you they very flexible can help you mitigate other other things so quite quite handy they are also a source of data of what's happening on the internet real attacks that are happening at you and being able to get some of that data over to developers to show them that the threat is real is is very handy we've got WS um policies procedures oh um I usually bring this in in probably the second year once I've got a handle of what good looks like what's sustainable and then yes we might

talk about policies and procedures I don't like starting with policies and procedures which many people do compliance drift and security is not very inspiring that's a really hard story to sell uh so I would generally bring it in the second J uh and lastly stuff like threat modeling I mean threat modeling is really the Pinnacle for me of secure software design when you can get developers who can own this oh off again sorry um when you can get developers to own it start attacking applications before anything is built that that's the Nana that's where we want to get to but it takes a lot of education and Ethos and culture before we can do that

successfully so I think the rest of my slide just came up now that's posture stuff that's only half of the story the other half of the story is organizational change so I have another Suite of initiatives at the bottom I love security chapters and champions but I think they get a bit of a bad rep because people treat them like sh resourcing that's not what it's about it's about finding that initial Coalition that voice of people that support your cours that's what security chapter and champions about it's about winning fans it's about getting early feedback you're about to bring in static analysis tolling it gives you developers to bring in that that journey of buying

a tool have them on the sales course so that they um they have a stake in the tool that's being brought in they can sell it to their team security chapter fantastic and I've hired out of security chapter okay that tends to be my po when I'm when I'm ready I will pull try and convince an engineer from that pool to come into security some of them are here day um once you've got that chapter in Champions once you've done your assessment the next stage is building a road map the road map is your vision that's that's the direction of travel that you're going in the road map is your anchor in the storm that is

security okay every incidents trying to ruin your agenda or other other parts of the organization trying to ruin your agenda um your road map is your stance your stance in the chaos okay it gives you a mechanism to push back people also don't invest uh in people okay I can't go to SEO and give um you need to give s half million pounds no what are you going to do with it set well I've got a road map I'm going to deliver these things okay people invest in road maps they don't invest in people once we got some of that um it it's I start to turn on the communications engine uh I will have a

front door I try and make my team as accessible as possible so this could be a teams channel in teams or a slack Channel Try and um get out of the signment uh get people talking to us get get some feedback and start regularly communicating I produce a report that I'll send out to the whole organization every two weeks I will present every all hands I can to have a continual presence so people know that we're here and and all the good stuff that's happening I will then start to work out C comments and rotations the they're fantastic I not only do I want developers to come into the security sphere to see what we're

doing understand what tools we're working with understand the challenges that we have but I want them to make friends I want them to make relationships what I really want is asynchronous methods of communication that are happening and rotations are very very good for establishing that but it works the other way too I want my team to get out into the developer sphere I want them to understand the tools that they're working with I want to understand the pain I want them to build empathy for developers because developers have many stakeholders and they have a tough job if I can get my team members in there they develop empathy develop friends uh and friends is very very

important um and the true worth of a a leader so um if you are trying to establish rotations some uh managers will be very supportive and they are true leaders they understand what's best for the organization building Friends Making Connections finding reasons to say with the company if you find a manager that is a resistant to rotations well it's very tell gamification I will also start to bring in at this point uh gamification is great so how can I uh how enable teams to see how well they're competing against their peers very competitive are in security as well um it makes things interesting keeps the interest going um has to be done delicately has to be done

with respect um really should only be rewarding teams that improve the most uh month by month not just you know you'll have one team who have a green Fielder state and they're able to do everything perfectly because that's the estate that they landed in you'll have other teams that have to hold together a 20y old Java application on Oracle and now have to use Oracle Cloud it's awful um that's not their fault so and they will always come last in the reporting but it's not their fault but if they improve they should absolutely be rewarded so you really should be gamifying on the Improvement bear with me slightly amateur at this oh no

you're talking too much and not doing the slides okay so uh and lastly succession planning I'm going to talk about that in a second uh but I wanted to bring in the science Seb why are you doing these initiatives in this order uh Cotter John Cotter uh Harvard Professor many many years uh researcher in leadership and management and organizational change if you have done a masters in management an NBA you will have heard John cot okay har the professor cot has um a model called cot's eight steps eight steps for organizational change and I'm going to talk you through how I've weaved that into my road maps step one of cot's organizational change is urgency you

have to be able to tell people why you have to change why is it important why are we doing it now that could be by establishing that your maturity is way below industry aage uh industry average that could be your reason to change it could be uh customer customer pressure it could be new regulation uh all too often it happens to be a breach but that's your that's your urgency that's what starts the change the second step is about the Coalition a lone voice is not very loud a group of voices is much louder you need to go and find your other Advocates your other people that see the world how you see it and want to be part of the

change you need to build that Coalition and that's why security chapter is so important important once you got a coalition you need a vision and that's where the road map is you need a state of Nana what are you all working towards you then need to communicate communicate communicate communicate especially in remote working environments teams emails um present frequently just to communicate the change and stay present you then need to what's five yeah Empower people to uh keep the change going you need to be able to give away responsibilities and that's where the comments rotations and again security chap champions can be very helpful you can start to give powers back to people to run their own toilet

to have permissions to suppress flaws you're empowering people to be part of the change and then you need to be able to communicate those all the winds that are happening okay we spoke already about that static anal metric or the cloud scoped poster metric if you're reporting that on a regular Cadence you're demonstrating return investment it gives you the case to go ask for more money that's that's a good thing and last ly we've got number seven is about not letting up changes can burn out uh organization change two to three years it's quite hard to keep momentum going for that long you have to work out novel ways of doing it gamification is a

very good way of doing that you will have other organizational changes that are competing for airtime gamification is part of the answer uh and lastly is about making it stick how do you make your change stick and for me that is about succession planning and developing new leaders so they can take the flag bearer and I can go off onto my next uh so C eight changes cot's eight steps for change there's a reference there I will send out the slides after if I know's interested this is a very good book what what leaders really do uh it's quite old now but you can get on Amazon just for a couple of pounds for the hard

book uh I would recommend okay so sustainability succession planning how do I keep the change going how do I develop leaders my first step um this is the small part of the talk where I will say this is I guess original thought so you can take it Le that's fine I won't be offended um my model for uh performance objectives when I've got staff members um is centered around three three aspects the first one is about decision making I need PE to develop good strong leaders I need you to be able to make good decisions that's what I care about but what is good decision making well that's about your ability to go and gather and run experiments it's about

your ability to go and gather data or get evidence it's about your willingness to go and seek an opposing opinion to get diversity in your thoughts these are all the aspects that make good decision making um and really what I'm trying to do is train my team members to be able to make good decisions but to be able to articulate the Assurance process of decision making because that is what senior leaders are looking for they don't care about the decision that you make they care about how you make it they want to know that if they follow the same steps that you did got the data ran the experiment spoke to all these people that if they follow that

Assurance process they'll come out with the same answer that's what they care about not the answer itself the second one then um so decision making that's about choosing the best path okay of all the paths you could take can you choose the best path once you've chosen a path you need to convince people to go down the path and that's where leadership comes in and that's a whole different ball game of skills okay communication skills being able to present being able to tell a story being able to sell something that's all part of leadership being able to make people feel safe psychological safety all aspects of leadership that I I need my junior managers to to adopt

and practice these skills so you chosen the best path you have convinced somebody to follow it and the inevitable happens new data comes along you're on the wrong path it's just life but to do that repeatedly requires resilience and what does what another wealth of conversations to Happ one to one how do you make someone personally busy and now we're talking about work life balance avoiding burnout talking about priorities we're also talking about friendship It is Well researched uh that the one one of the aspects of living a long healthy life the people that live longer they have strong social connections your performance I my challenge to you is the number of friends you have at work will correlate

to your performance at work if I want you to perform better I need to encourage you to make friends within the business so that's objective setting I'll set those three objectives I want you to develop these skills um now from my experience one of the uh biggest challenges in technology that I've had developing leaders is around politics company Politics the refusal to play or be seen playing in company politics no nobody likes politics uh but it's a matter of life especially when you're in an advocacy role I am an advocate of Dev SE cops I playing an advocacy role I need time on people's backlogs and I need them to change how they work but I don't have control I

have no Authority so all I can use is influence so I need to learn to play the game all professionals one of the ways that I tried to reframe politics and the irony of this is not lost on me many of you will have used Carly or one of the other variety of security tools we have how is firing a tool like that at production any different than taking the skills of influence in politics trying to make a positive change in your organization it's not the tools that are evil it's the people that use them um my other Challenge and I think I've put a reference to another book there actually the leadership pipeline which I definitely recommend uh going to

take a look at uh this was actually developed out of ge's uh leadership uh development team is a very good book about developing leaders uh and it really articulated to me the the difference between skills and values which is a really tricky one to navigate when you're trying to grow Junior managers very very quickly just because somebody has the skills to do something to lead to manage to manage projects manage budgets just because they have the skills it doesn't mean their values have caught up it doesn't mean they value that skill and that can be really dangerous territory that's what happens when people get promoted too early their values have not caught up and the problem when you when you're in

a role where you have to use a bunch of skills that you don't value takes more cognitive load takes more discipline you're not investing in those skills it is the path to burnout and it's the path to unhappiness it's just a very careful balance that that you have to uh weigh up when promoting Junior managers uh and the last two thoughts on this topic is really about uh ratios so I'm sure there are a couple of managers uh in in the crow today my question for you is how much time you spending developing your team developing your people um I track three ratios in in my work so my first ratio that I track is

the number of time I'm spending towards objectives trying to make the world better I track the amount of time that I spent on unplanned work incidents things that are trying to take me away from my objectives try and minimize that as much as I can and my third ratio is how much time am I spending oneto ones uh management working groups developing leaders and if I spend about 30% of my time on that that is The Sweet Spot that means I'm developing genu leaders well with the right skills and developing them quickly and the very final final thing mock management uh scenarios these are great for management working groups they're great for one to ones it's great

for developing synthetic management experience okay we run mock incidents for cyber attacks I don't understand why I don't see this more around management somebody wants to pay r somebody has a bement somebody wants to leave uh mock run these scenarios in your one to ons uh before get give them some skill some experience before they actually have to deal with these things in real life um it just feels like a no-brainer but you don't see it enough okay so that's a bit about sustainability and succession plan um right the very last thing I want to talk about and this bit a bit M some of you might turn off but to be honest it's stuff like this that makes my role

fun I treat my functions my teams as Enterprises within the business um I I like entrepreneurship I like marketing I like developing I like uh changing the Status Quo but I'm I guess I'm not brave enough to be an actual entrepreneur so I do it internally and that's what we call entrepreneurship um and one of the skills that I that I has helped me grow my function and growth and Empire I'm not talking about Empire Building I'm talking about natural growth that is where you identify opportunities within your organization where you can build a business case seek investment get new people get new tools and your function grows okay it's organic and you as a

leader I put this to you that you actually have a um a responsibility to do this because it's that growth that enables your team members to get promotions and have new positions that they can move into okay so there more than that it's a responsibility um one of the skills that I like is value stream mapping have I got a reference yet not yet I'll come to the reference in a second but this is Michael Porter uh value stream mapping um if you've read uh Phoenix project it came out of there as well okay it's about identifying how value flows from suppliers before you so in this case I think I've put a or Dell or any of the

suppliers before you and understanding how that value runs through your business to your customer on the other end and becomes the start of their value stream so this is just a just an example to demonstrate how value stream maing works so my end user Computing which is on top of the supplier of Dell that supports sales teams supports product product supports engineering telling them what to build engineering Builder thing it goes on a platform customers are really uh consuming the platform just a very simple model of understanding how value gets from one side to the other there are lots of opportunities in that to help especially security people because they're all feeling some kind of

security pain that you can make a case for to invest make a solution get growth in your function uh security engineering first starting out at clearbank very much focused on engineering they're my customers developers and focused on platforms teams infrastructure teams so that's that's where we're helping them build a secure product but then my question comes in well how do I grow my function what are my other potential markets to move into I could move uh lower down the value chain so maybe helping out more security operations I'm a team of security Engineers we do security do engineering it makes sense right we could help security operat out or to some St or I can move higher up the value

chain in the case with clearbank we we require customers to use Hardware security modules as part of being able to work with us okay they needed a a credential they had to keep it in HSM so I had another Market here around consultancy how can I help customers with Hardware security modules that their architecture talking to us just two potential markets for me to move into one of the ways you can make a decision is by using something like Porters 5 forces Porters 5 forces has five um things things to ask of a market to try and see how attractive it is so for security operations we might start to think well how competitive is that

market already now uh some of you might work for uh mssp some kind of managed sock Services well there's a lot of them there's a lot of them now okay very very competitive that makes the market slightly unattractive okay because there's already a lot of competition in place supplier power actually who is an mssp who works as a sock analyst on MSP can I just get one yeah fair fair enough yeah cool what if you don't mind me asking what technology are you working on top of you sort of Sentinel or Splunk [Music] or fantastic seeing a lot of that at the moment it's a good stack

is brilliant fair enough now when you take a quarters five forces look at this there's a lot of supplier power in that market you are dependent on your tooling okay in a way that other markets are not you're very depend you might be dependent on Z Sentinel you might depend on Splunk they've got a lot of power over you when their prices increase that can hurt a lot and you're not going to have a lot of voice to fight that back okay so as a market again there it's it's not looking so good for my particular use case I'm not trying to say it's bad Market um buyer power again a bit strange like in

the sock analyst world this is probably plays a bit better for sock analysts at least internally with an organization because your end users they have no idea what what products you're using so actually buyer power is quite strong buyer power is quite weak in this market Market the threat of substitution so bringing another another sock mssp along there is a threat of substitution there move to another mssp also the last one there threat of new entrance while we're seeing a lot of these kind of vendors coming along I hope you're starting to see the picture that I'm trying to paint here that that's actually quite a competitive market it would actually be quite dangerous for me to try and exploit that

internally I could be replaced with something else quite easily where when I look at the market of uh HSM consult for customers that's a great Market no one's doing that that's really hard to find on Google HSM consultancy I haven't got many competitors I've got no competitors at this point so absolutely Greenfield Market for me to develop uh buyer power well it's kind of consultancy I'm not using any tools to deliver it okay so I'm not bedded to any I have no supplier power um in in my market bu power is a lot stronger here so I might have small customers and I might have big customers the big customers as all they can be quite

demanding they can be very demanding so um there is buer power so that's a bit of a negative in the market but I hope you're trying to see the picture I'm trying to paint here it's just one of the models for me to understand how I can exploit internal opportunities so that's value stream mapping and that's Porter's five forces and I think I do have the reference now yes Michael Porter another uh Harvard Professor okay he's been doing this for 40 50 years written many many books um definitely worth going to see okay final thoughts how am I doing for time hopefully it's okay 10 minutes brilliant um some of you are going to be

thinking um so you just talked about leadership and management and money but I'm not a manager I'm not a boss um leadership is a choice anyone can be a leader anyone can make a stand for a change anyone can build a coalition anyone can acquire uh resources just takes knowing the right skills um and it really starts with self self leadership which was a coin actually turned over 40 years ago by Charles Manz um so a lot of these again I just wanted to introduce you to literature it's it wasn't a topic that I was ever introduced to at school at University and Computing it was much later in my career that I got introduced

to this so just the last couple of thoughts um I implore you if you want to go down this path take your work seriously people need to know that you're a serious person trying to make the world better but don't take yourself very seriously um it's not very fun to work with those kind of people uh I like to be quite fun I'm the first person to make a joke about myself um so take your work seriously but yourself not too much um if you do want to go down this route of leadership you have to understand your personal brand who are you what are your values um you're probably seeing some of my values coming through in this talk I

care about people I care about Vision I care about high performance and developing people having a strong set of personal brand a strong set of personal values is your compass it will help you make decisions very quickly it will help you make decisions that are congruent with how with um with your identity it helps you establish Integrity with other people because they can see you can make consistent set of decisions uh meeting those values personal brand you should absolutely go and work out what your personal brand is taking interest in others um this is I think this is quite hard for technology people um I I like to try and meet a new person within my organization

at least once every week so I will go and reach out to other parts of the business whether it's Finance whether it's sales or marketing uh and really I'm just interested to know how they work I'm interested to know if there's a market there that I can exploit actually that's why I'm talking to them um but I can only work that out if I'm listening to people and asking about their problems uh so i' absolutely employ you go out into the rest of your business say hi have a virtual coffee ask about their problems and see if you can can help I'll be honest this is a little bit Godfather I'm looking for favors and you

know I'm trying to I'm helping other people especially when your security everyone feels some kind of security pain but you're also it technologists your basic it uh skills there are people in in sales and finance you don't have that and just because you can say well oh this is how you make a new teams and team that could be news to some people in your organization and that's a really valuable thing you've passed across but you've also gained a favor uh I would encourage you all to practice reflection this is I I have 30 minutes on a Friday the last thing I do every week just working out what I've done what are the good things about this week

my own personal retro that's that's that's what it is uh tweak how I behave getting feedback from people I would encourage you to do this um try and develop a a habit of reading or listening if you're into audible uh either works um many of the problems that you're working on have been solved before uh in some cases with organizational change so 50 years before I just needed to read the book um and and then try and apply it all you're seeing today is me trying to apply management Theory and business Theory into a Dev SEC Ops context that's Innovation uh it's very small Innovation but still Innovation and I would encourage you to try and do

the same um this one's a bit more controversial uh always have your next interview in mind um you should go and pursue the stories that you want to tell at your next interview uh so if you've got if opportunities come along to get involved in this project or that project uh there is a tendency for some people maybe to look inwardly and say that's not in my job description I'm not paid to do that I would encourage you to maybe think about how do you make sure the next person pays for that that's and go and develop those stories go and find those stories uh and lastly make friends uh and and have fun um I'm fortunate enough

that I've Got Friends in the audience today I love collecting friends because it just makes work so much more fun um I would encourage you all to do the same uh and I think it ties very strongly to your performance as well so very last thing just um lrqa lqa we're a global Assurance provider uh so our assessment businesses is one of our biggest we do ISO inspection so ISO turn one privacy to be honest we do um so many ISO things that there's some I've not even heard um we do inspection things as well so asset Integrity uh advisory services around ESG um we have data analyst uh products around supply chain risk and all that

kind of stuff um but really most excitingly for me lrqa is actually the um I guess owning company of nettitude some of you may have heard of nettitude uh so nettitude cyber security company um Market leaders award-winning for all your offensive security needs so red teaming pen testing uh research lets you do a whole bunch of things uh so if you're interested in any of that please come and have a chat with me and I think that's about it so thank you for listening I hope that was just different um a different

[Applause] talk my my plan of running my talk to time so I don't have any questions did not work I've got five minutes if anyone has any questions or come and find me later

buing Vis and getting your team to people from other teams how about higher Management's support how do you sell your Vis and get yes uh so the question there was how do you convince uh Senior Management to buy into something like a Dev SEC Ops transformation is it is that have i articulated that excellent um so a few few different ways one one of the best ways um you're really trying to measure risk you might have uh critical risks in your infrastructure it's just not been articulated in a way that they understand that's kind of boring but is is one of the ways one of the more exciting ways is to talk about value proposition of security uh which is a

much more compelling Vision uh for Senior Management would our C would your customers choose you if you could articulate your security journey and how much um quality assurance and security you put into your product is that a differentiator in your market now something like that was was strong for something like clearbank we could all of these initiatives that were running we could go and train the sales teams to talk about it and it became a source of sales compensation and now we can start saying well this is actually going to affect the Top Line not just bottom line so some of it's about trying to weave the story into value proposition I think there's many many

different ways to and some of it might be driven by regulation some of it might be driven by a breach but um the the other one is is really about the cost of not doing death SEC Ops transformation right so we we all know okay I I thought I thought we already did five minutes okay gone back in time um so the the thing when when teams don't work in a devops way you're always finding flaws in production that is the most expensive time to try most difficult most expensive time to fix something as opposed to fixing something on paper during the design phase you'll find a team that doesn't work in a devc Ops way you're constantly working on

production issues it's most difficult most expensive but if you do this kind of thing we can pull it earlier where we can fix things cheaper faster before there ever a problem so there are operational excellence aspects to doing a program such as this I hope there's a couple just wonder you start how much do you need your yes that's that a great question um my my successes in doing this kind of stuff is 1% technical I need enough technical skills to be credible with Engineers I need to know that I I can join an architecture discussion and I can kind of hold my weight I can have an opinion um but it's about credibility there's something about development

developers I don't want wish to offend anybody but it's very tribal okay every development team that you work with thinks that're they're the bees and the way they do it is the best and I can go to the Next Room same company different team they're awesome no one else sees it but they're awesome uh that's very challenging that tribal mentality um and you have to be credible okay now that can be just I've done a proof a couple of proof of Concepts in my own time I have tried to write some code develop something build a pip line you don't have to have commercial experience but you do have to be able to speak the

lingo a little bit enough to be credible is what I would say and that's on both sides credible with developers but also credible with your security analysts as well to understand what a seam is how to set one up what are the challenges um but cred I the key word there is credibility does that does that help okay all right there is end of time thank you very much