Security Leader: Michael Christie, F5 Networks

Michael is Director of System Engineering, ANZ at F5 Networks

Credit: F5, Michael Christie

How did you end up in your current role and what attracted you to the industry?

I was attracted to the information industry early in my career because of my fascination with the capabilities of digital technology and what it could do for people and organisations. I started as a Field Engineer and progressed through a number of technical leadership roles, seeking out positions where I could create impactful outcomes. 

For the last several years I have been leading pre-sales teams who create transformational outcomes on a daily basis. I like the bigger picture and both innovation and imagination inspires me. I enjoy leading a team, and thrive on the leverage a leadership role gives me to make a real difference.

What security threats do you see as most problematic over the next year?

Increased risks in application deployments has been driven by the creation of faster pipelines between the development code and the end value for the customer. As a result, data breaches have become a key threat to the security infrastructure of any business—in fact, 53 percent of data breaches target the application itself.

The Notifiable Data Breaches (NDB) scheme, which came into effect in 2017, states that affected individuals and the Office of the Australian Information Commissioner must be notified by organisations or agency in the case of a data breach involving personal information. Since the introduction of this scheme, compliance and security in the application has become a priority for Australian businesses.

What do you see as the biggest gaps in the functionality of current cybersecurity technologies?

Nowadays we’re dealing with thousands of applications that require updates on a daily basis. Each app is on track to have its own automated development pipeline—which in turn requires its own builds, releases and agile teams. 

As businesses take leaps and bounds in application development, it’s expected they get ahead of security at a similar pace—but this isn’t always the case. As such, a gap between development and security is created as businesses are developing apps faster than security can keep up.

What technologies do you think will most transform security in coming years? 

As a result of applying the approach of DevOps, cloud-based solutions are rising above the rest—and fast. In light of this, it’s a reality that security technologies will integrate earlier in the development stages of applications. More specifically, security solutions using an automation-first and API-driven approach will have the ability to integrate within the software delivery pipelines, without reducing deployment timelines. 

How do you define DevSecOps? Who is ultimately responsible for DevSecOps at an organisational level? 

It’s evident that applying DevOps to the deployment of apps is a no-brainer, and over 94 percent of enterprises across the Asia-Pacific region have adopted DevOps methods of working in their environments. However, security teams and tools must learn to quickly adapt to rapid app developments—to both mitigate risks, and avoid slowing down app deployment pipelines. It is here the old way of life, SecOps, must collaborate with DevOps to create what’s now known as DevSecOps. With this approach, security is an intrinsic part of development, whereby security is integrated with governance into the DevOps life cycle from the outset—in a frictionless way.

DevSecOps is the agile approach that works at its absolute best with a cross-functional team. While this model breeds new roles, and fosters traditional roles such as  
site reliability engineers, DevOps system administrators and evangelists, and security engineers, siloes are broken down, and each role and expertise now function as one team—with one objective. For a cross-functional team like this, security leaders provide oversight and direction, where they set policy and present to the broader organisation, as well as plan and deliver resources. 

What do you see as the biggest threat we currently face with DevSecOps in the application capital era?

In the midst of deploying DevSecOps within an era where apps run the world, it’s all too easy for companies to overlook the crucial aspect of cultural transformation that must happen alongside agile development and digital transformation.

As organisations ‘shift left’ on security to embrace DevSecOps, major cultural shifts are happening for both the developers and stakeholders in the IT team. Developers are learning to work with security teams in a much closer and collaborative way that ever before, and tensions between the teams can mean culture suffers in the interim.

While a rough patch is almost inevitable, the end result is an adaptable, agile team of developers, engineers and security professionals all working to reach one goal. If, however cultural transformation isn’t handled with care, or ignored altogether, teams won’t have the opportunity to flourish as one and can never truly reach success with DevSecOps—and that’s a real threat as society thrives in the application capital era.

How has the application capital era spurred an increased focus on application security?

Applications are all around us and is the foundation of our economy. This era, fittingly named the application capital era, has driven Australian society to almost become fully reliant on applications and digital services. In saying so, applications have become a company’s most most valuable asset.

However, the increased focus on applications also means an increased source of enterprise risk. The growth and evolution of highly sophisticated cyber threats, along with Australia’s preference of security over convenience when choosing and using apps, ultimately means organisations must prioritise the protection and security of all applications.

What’s the importance of DevSecOps amidst the application capital era?

As the cyber threat landscape becomes more complex each day, and the demand for seamless application delivery reaches new heights, the ability to weather the storm of transformation and digitisation amidst the application capital era—without compromising security—is paramount. And the key to enable this is through DevSecOps. 

Booming industries like the banking and financial sector in Australia must digitise to meet customers’ expectations and adapt as the nation rapidly moves towards digital payments within a cashless economy. Despite this, a consumers’ main concern when using banking apps is security and an alarming amount of Australians don’t trust digital payments. So if we’re looking particularly at this industry, the prioritisation of security is indisputably required to foster trust. 

Developers must work hand-in-hand with security teams to embed security at the heart of every application.

How frequently have you had to deal with the agile approach of DevSecOps and what’s the best process behind this approach?

Most of the organisations I deal with have some form of DevOps programs up and running and some are using Agile methodologies right across their businesses. The more progressive ones see the value of tightly integrating security into DevOps rather than taking a bolt-on approach. It’s important to continually have the conversation with customers about DevSecOps and integrating the security functionality into their Agile development processes and toolchains.

Connecting the people and technology is all made possible when an effective process is established for DevSecOps. Businesses are urged to automate manual processes where necessary, without having to sacrifice security needs. During the development phases, security should be a process embedded within. One way to ensure this process is properly executed is via threat-modelling storyboards during the development phase. This will highlight where security needs to be baked into the design and eliminate any other misconceptions about where security sits.

Show Comments