1. As DevExec AreYou Doing Enough For Security?
Archana Joshi
Head –Transformation, LTI
Note:The views expressed in the presentation are solely of the presenter and do not represent those of the company /clients she is associated with

2. 2
Let’s us meet the characters in our story
CEO CIO Legal Director
InfoSec Director Dev Director

3. 3
…. And ask them the same question
What are you doing about cyber security?
CEO CIO Legal Director
InfoSec Director Dev Director
One of the top agenda
Proactive investments
Being secure is our culture
Strengthening
Cloud Security &
Application Security
Compliance checks
Investing in Digital Forensics
Security lapse liability
3rd party coverage
DevSecOps
Risk based DAST, SAST

4. 4
Alert !!!!
Security Breach !!!!
Root Cause: Application using an open source utility was hacked

5. 5
Now ask them the same question
How can we prevent such breach in future?
CEO CIO Legal Director
InfoSec Director Dev Director
I am setting up a committee with
external experts to help us with next
steps
My team needs to come together
It’s not just us – we have partners too
We need to work together
I should provide stringent security norms
We need to work together
I don’t understand this focus for
opensource
We need to work together
My app team faces the brunt.There are
networks too
We need to work together

6. 6
2 months after the incident…. ask them the same question
How are you measuring effectiveness of cyber security
CEO CIO Legal Director
InfoSec Director Dev Director
I get weekly report on any breaches
We are also running an awareness
campaign
Mean time to receover from security
Kubernetes cluster monitoring
% Adoption of DevSecOps
No. of builds to production with security
clearances
Risk assessment profile
No. of third party assessments meeting
the legal guidelines
No. of security compliances defects
No. of developers undergone secure
coding practices session

7. 7
Is there a better way to handle this?
Can we truly achieve “continuous security”

8. 8
Infrastructure
Applications
Data
Compliance
StaticTesting
DynamicTesting
Network Security
Endpoint Security
Cloud Security
Data Encryption
Access Credentials
Loss Prevention
Cloud
Data
Regula
-tions
Open
Source
/ 3rd
Party

9. 9
Security Pod & Roles
CISO – CIO pair
Extreme Automation
Inbuilt Dev Practices
Integrated OKR and metrics
Follow the motto of Centralize – But Decentralize

10. 10
Security Pod & Roles
Security Architect
Security Ambassador / Product Mgr
SRE with security focus
CISO – CIO pair
Common security governance
Active Legal involvement
Extreme Automation
Open source tagging via pipeline
Operations monitoring includes security parameters
Inbuilt Dev Practices
Security as a code
Secure coding insights via AI interventions
Integrated OKR and metrics
Threshold setting for central involvement
Security Debt as part of sprint goals
Follow the motto of Centralize – But Decentralize

11. 11
Security is at the heart of
success of development

12. THANK YOU
https://www.linkedin.com/in/arcjoshi
Note:The views expressed in the presentation are solely of the presenter and do not represent those of the company /clients she is associated with