Chapter 1. Shifting the Security Team to a DevOps Mindset
During the early days of the shift away from Waterfall development, I was incredibly fortunate to be in the position of building the security team at Etsy while it was one of the first companies pioneering DevOps. At the time, for most companies, production application changes were typically made every 6 to 18 months. However, as I learned on my first day as head of security, Etsy was making production code deployments 20 times per day and rising. As you can imagine—and I had to learn the hard way—most of the classic approaches to security simply weren’t going to survive in this environment.
I knew that the approach to security needed to change, but implementing a DevOps-friendly model effectively and in ways that achieved buy-in throughout the organization hadn’t really been done before. First and foremost, like many security professionals, I had to stop thinking of security as a gatekeeper or blocker, which is a holdover from the Waterfall methodologies. As my thinking changed, I could begin seeing how the security team could change to be more DevOps friendly and thus maintain good security practices while focusing on enabling business agility.
In this report for fellow security leaders owning a security transformation, I share the lessons I learned about building and scaling a program along the way—lessons that would have saved me from a bunch of pain had I known them from the beginning. I use details about Etsy because ...