The modern day CIO has a rapidly growing number of priorities, most of which are driven by the mega trends of digital transformation and cloud migration. They must also spend time and resources ensuring that the existing lines of business continue to function seamlessly and drive revenue. This frenetic environment is best described pictorially (below) and a pure tactical approach will certainly result in sub-optimal results.\nSecurity is important but not a priority\nToo often, security is an area that tends to lag behind other initiatives and is often \u201cbolted on\u201d at the end of a project or migration. The result is that remediation of any issues is rushed, mitigating controls are put into place as a stop gap, or worse yet, a conscious decision is made to absorb the risk(s). Security teams, which are already overburdened and often understaffed, start to add more tools into the environment to attempt to provide defenses and insight into the insecure areas. The main issue with this \u201cscale out\u201d solution of individual products and point solutions is that they typically require some level of manual intervention. If that change in behavior is required by the developers, they will typically only use the tool periodically and inconsistently. On the other side, if the tool requires the security engineer to perform a set of actions, that will also be inconsistent due to the aforementioned talent shortage.\nStrategic security planning\nNow that the challenges have been outlined, what is a CIO to do in order to better integrate security into the environment and strengthen the company\u2019s security posture? Given my former role as a CIO in large enterprise environments, I\u2019ll provide a real-world approach and a set of best practices to establish a baseline of the current security posture. The most important action you can do is to get started because security is an ever evolving challenge and practice. Getting started and\/or developing a path for improvement is the most important first step.\u00a0\n5 best practices\n\nYou can\u2019t secure what you don\u2019t know about\u00a0\u2013 Visibility is paramount for security, so the first step is to perform a comprehensive audit of all existing code repositories, application environments\/deployments, and any external, third-party services that are being used. In conjunction with this audit, document any security tools and solutions that are being used or have been deployed. An important part of this process is to also meet with several members of the dev, devops and security teams to get a view into a cultural bias and differing views of security. Do not underestimate the value of this part of the process as the cultural transformation will be more challenging than the technical aspects of execution.\nPrioritize, prioritize, prioritize\u00a0\u2013\u00a0Now that you have the inventory audit completed, it\u2019s time to perform the risk assessment. Assign a score to each major asset based upon the potential adverse effects to the business if there was a security issue\/breach. Even though the goal is to deploy a strategic framework, you need to start somewhere, and that starting place is obviously at the most crucial business asset. It is also important to realize that this assessment is not a static exercise, as risk is really an elastic entity and the corresponding level can change quite often in a high-velocity business.\nSeamless integration, not bolt-on \u2013\u00a0Security solutions have tended to be point solutions instead of being integrated into environments and workflows. For software, organizations have an opportunity to integrate security far left into the product development process as possible. Teams can remediate defects early on in the cycle, saving time and money, as well as increasing overall security assurance. In my experience, this approach creates a much more collaborative environment and brings the security team into the development lifecycle. Over time this can transform the culture into true DevSecOps. Security tool integration should leverage automation and orchestration to provide repeatable approaches to security testing. \u201cAutomation\u201d improves the vertically focused manual tasks, and \u201corchestration\u2019 ties together all of the disjointed processes into a single view.\nSecurity metrics \u2013\u00a0You can\u2019t improve what you can\u2019t (or don\u2019t) measure, and a couple of KPIs to track include your IRD \u2013 Internal Rate of Detection \u2013 and your IRR \u2013 Internal Rate of Remediation. Too often the focus is on insurance and passive defense, and my advice is that you should start thinking about assurance and leveling the playing field by taking more offensive approaches to security. By tracking how many security issues are detected during the development cycle, when they are detected and how quickly they are remediated, you can then present that data to the CEO and board to have real discussions around what is working, and what still needs to be improved upon.\nContinuous assurance\u00a0\u2013 Code and application security testing has typically been a periodic, manual process, and even highly regulated industries adhere only to their respective compliance requirements (e.g. PCI-DSS requires a penetration test two times per year). My experience suggests that the process of security assurance needs to be a continuous one where any significant change that is delivered to production is scanned for vulnerabilities and any issues discovered are remediated at that point and time. This fast feedback loop has proven to actually increase delivery velocity and improve overall code quality. (source: Sonatype\u2019s 2017 State of the Software Supply Chain)\n\nStop the FUD and get started\nThe security marketplace and landscape is fueled by FUD \u2013 fear, uncertainty and doubt \u2013 which is often the driver of security projects, if not strategies. In my experience, this approach does not help to improve overall security posture and a completely new approach needs to be taken. As you evolve your security strategy with some or all of the best practices I\u2019ve outlined, consider building for confidence, assurance and visibility, as these will ultimately help to improve your resiliency. I hope by outlining the approach that has worked for me, you can start implementing your security strategy and accelerate development velocity in the process.