In the Trace3 Technology Triumphs blog series, we share the accomplishments of our clients and those who are forces driving value to their businesses through technology.
As security threats become more sophisticated, implementing modern security practices for Cloud, DevSecOps, and Automation is now a minimum requirement for any engineering-focused organization that fully embraces cloud native technologies. Julie Chickillo, VP and Head of Information Security at Guild Education, knows this firsthand. In the past 12 months, in partnership with Trace3, she successfully implemented a frictionless, cross functional, and fully automated DevSecOps program with security fully integrated throughout their deployment pipeline.
By successfully fostering the right culture and partnership with engineering teams, Julie also built a modern Security Information and Event Management (SIEM) platform with a fully customizable and scalable security data lake. The platform provides enhanced threat visibility and correlation across the Guild Education environment. We caught up with Julie recently to pick her brain on life as a CISO.
Trace3: What was it like to introduce and implement new AppSec and DevSecOps services at Guild Education this past year?
Julie: Our success in this 12-month project was due in large part to our ability to identify, empower, and build cross-functional teams, including engineers, DevOps, and security, to define a program operating model and conduct solution POCs on Trace3’s recommendations. This followed a thorough product evaluation and rationalization analysis of Guild Education’s needs and requirements.
Together we engaged in workshops around Guild Education’s understanding of what the program might look like, as we were building from scratch. We got leadership support on our initial roadmap and set about interviewing different squads to gather a solid cross-section of all the language types we’d be working with.
With this work completed, Trace3 put together a gap analysis, and together we shared it with leadership, engineering managers, as well as the product and DevOps team. POCs were completed with a thorough feedback and rating system in place. All of our work led us to Snyk, a cloud solution that secures all components of modern cloud-native applications in a single platform. A policy committee was then assigned to define policy implementation and a working process for how Snyk would work into the current developer pipeline. Trace3 played a huge role in supporting our needs, answering our questions, and offering insight into opportunities we could have inadvertently overlooked.
Trace3: How did you coalesce engagement and maintain momentum for the project?
Julie: We worked in true partnership across our leadership, teams, and providers from end-to-end—you can’t do this type of work in a silo. I think we were really thoughtful about each step in the process. Whenever we started a committee or team, we looked at the makeup of the teams (POC, Policy, Deployment) and thought about who should be part of it, and what are the different resources we need from our stakeholders in order to make the team successful. Security was open to hearing, “no,” and I think that is vital in any big decision. If an engineer didn’t like a project and security did, we would listen to that expertise. While security owns the tools, we don’t own deploying them or working them. It was important for the engineers to have a stake in the process.
Trace3: How are you adapting your security program to meet the demands of new hybrid workforce models?
Julie: Guild Education was already working in a cloud environment when the COVID-19 pandemic began. The global move to a hybrid workforce was not a shock to our system, as we already work in hybrid ways. However, Guild Education does not have a network of its own, so we put a lot of work into setting up security safeguards in from of our cloud tools. More important for us during this time was the process of moving beyond a traditional SIM to a traditional security data lake. Now I can see what happens across all of the company. This is the biggest adaptation we made over the year.
Trace3: How do you manage security in the cloud differently, especially as it relates to multi-cloud environments?
Julie: With our security data lake, I send everything to one place. Now that the information is there, I can do data visualization across all of the clouds. We work purposefully within AWS, rather than within a mixture of cloud solutions.
Trace3: How important are AI and automation to the success of cloud security and the ever-present need to scale resources?
Julie: AI and automation flow across all security. There’s great value in using an automation piece like Python or other scripting to automate controls, ticketing, or workflows. Our use of AI and automation is primarily focused on security workflows. We want to keep up with the risks and threats coming at us and to make security flow at scale, automation is a necessity.
Trace3: What do you think are the top three security issues facing enterprises today?
Julie: First, there is a very real, very apparent lack of talent available to support high-level, knowledge, and skill-focused tech roles. The DevSecOps and AppSec areas are still emerging, and we are seeing less talent than needed. I also see a lack of quality talent in modern security practices like cloud, DevSecOps, and automation. Encourage those you know interested in tech to consider careers in the above!
Second, when tools do not integrate and work well together, we end up with so many different places to look for data and source threats. Our data lake helps me a lot. But in general, there are so many security tools available that specialize in one thing while offering add-ons that accommodate additional needs. There is a huge lack of visibility to the whole organization's security due to poor integration or a lack of integration. It’s costly and inefficient. All organizational tools need to be able to work together.
Third, security risks and threats are getting more and more sophisticated. Particularly, third-party software supply chain risks that impact our software and the system used to build software. If someone gets in through vulnerable source code or the build system, they can escalate privileges and compromise the entire thing. In the cloud era, infrastructure code is also considered software and should be treated as such. For Guild being all cloud-based, it’s a huge concern. We do a lot of work to identify and stop threats early before deploying applications and infrastructure into production.
Want to read more Technology Triumphs? The world of work changed drastically over a year ago. A new workplace hybrid exposed a number of new security concerns along the way. Learn how Farm Credit Mid-America tackled the newest challenges to stay secure in a hybrid workplace.