• United States




The impact of DevOps on your bottom line

Sep 26, 20173 mins
Data and Information SecurityDevopsIT Leadership

During Cybersecurity Awareness Month and beyond, DevOps is a philosophy to which security practitioners should pay attention.

DevOps is the most important innovation to the IT sector since the invention of the personal computer. Nearly everyone I have talked to in my travels, these past few years, says they are building their own DevOps shop. But when you probe them about what they are actually doing, most say they are deploying applications to the cloud. That is not exactly what DevOps is.

To put it in a nutshell, DevOps combines the cultural and technical philosophies of software development, quality assurance, and IT/InfoSec operations into a single system of systems that is managed as a whole. The purpose is to deliver applications and support services at a much higher velocity. With traditional software development processes and standard InfoSec and IT tool maintenance updates, it sometimes takes weeks, months and even years for organizations to roll out a new application, update an old application, install a patch to a machine, or add enhanced prevention controls derived from new intelligence. The DevOps mantra is to roll out ten deployments/changes a day. That sounds good when you say it fast, but it is tough to find the edges of this new philosophy when you start to think about the implications.

DevOps is such a new concept that is difficult to define precisely. Many have their own view of it. But in terms of outcomes, DevOps completely changes the focus of the IT and InfoSec organizations away from stovepipe thinking. It forces the people in those organizations to think about the production system as a whole. In this new model, every stakeholder is concerned about maximizing the throughput of the overall system for deploying everything. The result is that production velocity exponentially increases because the team begins to automate the throughput process: the glue that moves all projects through development, quality control, InfoSec and IT operations. For network defenders, specifically, security is no longer an afterthought; it is part of the fabric of every deployment project.

Big tech companies like Netflix, Google, and Facebook have been doing their own versions of DevOps for years. Google has its own name for it: Site Reliability Engineering. I believe that this early adoption of the DevOps philosophy by these internet giants is largely responsible for how they have scaled their operations while continuing to serve their customers at the highest levels.

Here is the bottom line: As every organization races to the cloud, DevOps becomes an opportunity. You are writing new code anyway. Why continue deploying code and installing fixes the way we did it when the internet was young? Why not use this time to completely rethink and modernize your approach, and take the leads from successful organizations like Google and Netflix? I believe that, if you don’t, your competition will beat you to the punch within the next five years. If they get there before you do, they will dominate in the marketplace because you will not be able to keep up with them. But if you get there first, you can place your organization as the frontrunner. You could potentially dominate your competition in the marketplace, and that is a great position to be in.

If you are new to the philosophy, consider reading the Cybersecurity Canon Hall of Fame Winner The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win. It is a good primer on the subject, regardless of your role in your organization.


As a 23-year military veteran, Rick Howard has a vast background in several different areas of InfoSec, ranging from experiences within both the public and private sectors. During his previous military career he learned the technical skill sets necessary to succeed in the IT/sec world and in his current role as the chief security officer (CSO) of Palo Alto Networks he continues to learn and contribute to the business aspects of this evolving industry.

Prior to joining Palo Alto Networks, Rick was the Chief Information Security Officer (CISO) for TASC and led the development of TASC’s strategic vision, security architecture and technical roadmaps for information security. As the GM of a commercial cybersecurity intelligence service at Verisign (iDefense), he led a multinational network of security experts who delivered cyber security intelligence products to Fortune 500 companies. He also led the intelligence-gathering activities at Counterpane Internet Security and ran Counterpane's global network of Security Operations Centers.

A veteran, Rick served in the US Army for 23 years in various command and staff positions involving information technology and computer security and spent the last two years of his career as the US Army's Computer Emergency Response Team Chief (ACERT). He coordinated network defense, network intelligence and network attack operations for the Army's global network and retired as a lieutenant colonel in 2004.

Rick holds a Master of Computer Science degree from the Naval Postgraduate School and an engineering degree from the U.S. Military Academy. He also taught computer science at the Academy from 1990 to 1995.

He has published many academic papers on technology and security and has contributed as an executive editor to two books: “Cyber Fraud: Tactics, Techniques and Procedures” and “Cyber Security Essentials.” In the spring of 2013, Rick Howard spearheaded the creation of a "Rock and Roll Hall of Fame" for cybersecurity books called The Cybersecurity Canon. The Cybersecurity Canon's goal is to identify a list of must-read books for all cybersecurity practitioners -- be they from industry, government or academia -- where the content is timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and, if not read, will leave a hole in the cybersecurity professional's education.

The opinions expressed in this blog are those of Rick Howard and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.