Nazneen Rupawalla

Organizational Change Through The Power Of Why - DevSecOps Enablement

Is your security team a bottleneck? Learn a data-driven strategy to shift security ownership to developers and explain the 'why'.

Organizational Change Through The Power Of Why - DevSecOps Enablement
#1about 3 minutes

Why traditional security engagement creates bottlenecks

Security teams become a bottleneck when accountability is misplaced and feedback is provided too late in the development cycle.

#2about 1 minute

Creating a center of excellence for security

A center of excellence was established to make security planning scalable, measurable, and easier for teams to adopt.

#3about 3 minutes

Integrating security into existing team workflows

A security champion program and mapping controls into project management tools like Trello helps embed security into daily work.

#4about 4 minutes

Structuring security controls with the power of why

Each security control is framed with a 'why' to provide business context and a 'how' with actionable steps and tools.

#5about 3 minutes

Automating security tooling within the SDLC

Security tools for SAST, runtime security, and cloud misconfigurations are integrated into the CI/CD pipeline as acceptance criteria for controls.

#6about 2 minutes

Visualizing security progress with data-driven dashboards

Data from Trello boards is automatically collected via webhooks to create dashboards that track team progress on security controls.

#7about 3 minutes

Creating a security maturity model for leadership

Team-level data is aggregated into a high-level security maturity model to give leadership visibility and drive accountability.

#8about 1 minute

Building an effective security champion program

Nominating champions through tech leads, rather than relying on volunteers, increases the program's impact and motivation.

#9about 1 minute

Key takeaways for building a security culture

Explaining the 'why' behind security empowers teams to take ownership, while relationship building and automation are key to cultural change.

#10about 3 minutes

Q&A on program implementation and threat modeling

The discussion covers the program's 1.5-year implementation timeline, managing high-impact risks, and doing threat modeling every iteration.

Related jobs
Jobs that call for the skills explored in this talk.

Featured Partners

Related Videos

See all videos
DevSecOps culture16:00

DevSecOps culture

Ali Yazdani

Building Security Champions42:40

Building Security Champions

Tanya Janca

Open Source Secure Software Supply Chain in action32:55

Open Source Secure Software Supply Chain in action

Natale Vinto

Why shifting left is so important for software developers41:51

Why shifting left is so important for software developers

Jemiah Sius

DevSecOps: Injecting Security into Mobile CI/CD Pipelines45:08

DevSecOps: Injecting Security into Mobile CI/CD Pipelines

Moataz Nabil

We adopted DevOps and are Cloud-native, Now What?34:46

We adopted DevOps and are Cloud-native, Now What?

Bruno Amaro Almeida

Building Security Champions48:02

Building Security Champions

Tanya Janca

Secure Code Superstars: Empowering Developers and Surpassing Security Challenges Together23:34

Secure Code Superstars: Empowering Developers and Surpassing Security Challenges Together

Stefania Chaplin

From learning to earning

Jobs that call for the skills explored in this talk.

DevSecOps

Azertium IT Global Services SL
Municipality of Madrid, Spain

Remote
Senior
DevOps
Continuous Integration