Abstract
Cyberattacks make the news daily. Systems must be appropriately secured. Cybersecurity risk analyses are more than ever necessary, but… traveling and gathering in a room to discuss the topic has become difficult due to the COVID, whilst having a cybersecurity expert working isolated with an electronic support tool is clearly not the solution. In this article, we describe and illustrate Obérisk, an agile, cross-disciplinary and Obeya-like approach to risk management that equally supports face-to-face or remote risk management brainstorming sessions. The approach has matured for the last three years by using it for training and a wide range of real industrial projects. The overall approach is detailed and illustrated on a naval use case, with extensive feedback from the end-users. We show that Obérisk is really time-efficient and effective at managing risks at the early stages of a project, whilst remaining extremely low-cost. As the project grows or when the system is deployed, it may eventually be necessary to shift to a more comprehensive commercial electronic support tool.
Highlights
A major trend in system and software development relates to DevOps, closely followed in time by DevSecOps
Where are the soft skills and enterprise culture parts mentioned in the Flickr talk? Where is the “everyone is responsible for security” of Shannon Lietz [7], in particular when it comes to the involvement of the executive management and the board of directors?
We propose an approach that complies with the EBIOS—Risk Manager method, emphasizing the maieutic and the ergonomics, especially in remote conditions, the speed of setting up and implementation, and low costs, in terms of time and direct expenses
Summary
A major trend in system and software development relates to DevOps, closely followed in time by DevSecOps. A short history of DevSecOps [1] recalls that the first spark for DevOps was given in 2009, by a Flickr talk [2], promoting the lowering of risks of change with automation tools, and an adequate enterprise culture. In 2015, DevSecOps put the spotlights on security, recalling that security should be given precedence over new features [3], and stressing that security is not under the responsibility of the sole security experts. These approaches have been immensely popular, and commercially successful, especially related to automation. Where are the soft skills and enterprise culture parts mentioned in the Flickr talk? Where is the “everyone is responsible for security” of Shannon Lietz [7], in particular when it comes to the involvement of the executive management and the board of directors?
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
