James Chandler, vice president of security for Western Governors University, has successfully transferred security by implementing a scorecard system that requires devops teams to meet certain specific standards and implement expectations through processes of business.
In other words, Chandler says, teams must get top scores to push their code without approval. If they don’t have the highest scores, they should defend their lower scores and the reasons for them before proceeding with the exit.
“It’s about pushing security to the left, so security starts early and flows through the development lifecycle,” Chandler said. “It’s a big factor that we’re trying to push as a security group, because we have better security success when developers are participating here in their day-to-day [work] compared to when the security team finds an issue and has to ask them to resolve it. “
The creation of a scorecard to improve security initially stemmed from concerns about the performance of the technology infrastructure.
Western Governors University is a 100% online university focused on helping the underserved population achieve higher education. The Salt Lake City-based institution serves 130,000 students, most of them based in the United States.
Western Governors UniversityJames Chandler, VP of security, Western Governors University
Because of its mission, Chandler said he and other university technology leaders are constantly looking for ways to improve the reliability of systems as well as the confidentiality, integrity and availability of data (the well -known CIA triad that helps guide information security policies in many organizations).
However, Chandler and his fellow VPs in early 2019 assessed the performance data and concluded that the systems were not as reliable as they should be. They see losses in the university platform negatively affecting students and staff. Such incidents get priority attention; as Chandler said, “If it affects students, it quickly becomes a serious 1 issue.”
Alignment with expectations
The university’s IT and security leadership determined that existing business processes within their domains did not motivate the successful deployment of software in accordance with the CIA triad.
Chandler explained that various factors contributed to that scenario.
The university has a complex infrastructure with more than 1,000 third-party vendors and dozens of product groups.
That in turn made security requirements, such as timely patching of vulnerabilities, difficult, because that work often affects the work of diverse teams from security to engineering.
Moreover, security teams and IT teams are not in line with expectations.
“Their ideas on how quickly to resolve issues are different than ours, so we didn’t reach the security targets we wanted because of the challenges of aligning everything,” Chandler said, citing the goal the university tracks “five-nines availability,” or 99.999% for network and service accessibility to users.
After reviewing the situation with other vice presidents, Chandler said he concluded that improving security performance and the overall experience for users, especially students, would not happen without some specific organizational change.
“We got to the point where we hit a wall,” he said. “But when we identified the different factors, we started to look at what we could do to solve them.”
Chandler worked with several other vice presidents (who are jointly responsible for security as well as IT infrastructure, technology operations and educational technology) to find the best way forward.
They then created a committee to review the issues and suggest a solution, appointing seven of their directors (who all reported to the VPs and oversaw related areas, such as engineering and general operations). .
The directors worked for several months in fall 2019 and proposed a scorecard that would track and measure performance in five areas important for the reliability and availability of systems: availability (99.99%), problem solving (<30 minutes ), problem record error budget (<100 severity demerits), security hygiene (<0) and root evaluation task hygiene (<0).
“That has become part of our operational metrics, and each team needs to present their scorecard and defend what the score is and why,” Chandler said, explaining that the scores are electronically recorded on its ServiceNow platform as part of the agile development management process. “If they have updates or new code to push, they have to use the scorecard.”
Keeping score
The scorecard, with multiple layers of implementation, increases the incentive to maintain the highest level.
For example, teams with a score of 5 have the most freedom to go to market; teams on the other end of the scale have the most additional requirements, including approval — in general, Chandler says, “more eyes are looking at you because you can’t keep up with the program.” Levels 4, 3 and 2 have increasing levels of requirements that match their scores.
This scorecard was implemented in 2020; it is optional first and then mandatory.
Chandler said the scorecard moved teams from their devops skills closer to devsecops.
“I don’t know if we’re complete, but it’s a big step in the right direction. They start with security in the early stages and it stays that way throughout the lifecycle,” Chandler said.
It also created more responsibility and alignment as well as a greater sense of shared responsibility.
“Binding [those five performance areas] Together with a scorecard helps each team understand that different areas have their responsibility to support other groups. That was part of the expectation-setting, tiing those all together, ”he added.
Chandler said the fact this concept came from directors working directly with teams helped with a quick and successful adoption: “The purchase came from the directors themselves; they would go to their teams and say, ‘Here’s what we’re doing.’ And since it doesn’t come from senior leaders, because it’s very local rather than coming from the top, buying is much easier.
Reaping the rewards
The use of the scorecard also created some healthy competitiveness, where teams aimed to get high scores to gain recognition at biweekly meetings. Chandler said it’s rare that all teams get 5s, the highest score, in any given two -week stretch; the majority earning 4s are more common and somewhat on average.
On the other hand, teams with low scores are required to discuss their challenges in those meetings.
That wasn’t meant to be punishment, Chandler said. Instead, the process gives teams the opportunity to hear ideas, gain insights and get help from others — especially if some of the factors for lower scores are related to the challenges they face. of others, such as working with legacy technology.
“It created a community rather than siled teams,” he added.
Security and performance improvements are as fast as the adoption of this scorecard process, Chandler added; he saw improvements in various areas, including system time, over the course of a month.
More specifically, the implementation of the scorecard generated a 62% reduction in security ticket violations, a 72% reduction in vulnerabilities, and a 34% reduction in temporary time to fix security issues.
Chandler sees more positive success in the future. He and his colleagues plan to not only continue using the scorecard but strengthen the scorecard requirements to bring incremental improvements to the performance of the departments.
“They solved the problem and the task given to them,” Chandler said. “Now we look at it and say, ‘What areas can we improve next?’”
Copyright © 2022 IDG Communications, Inc.