New Context was founded in 2013 with the vision to keep the connected world safe and the mission to use Lean Security™ to automate the orchestration, governance and protection of critical infrastructure. Since then, we have been serving Fortune 500 companies and government entities by building secure compliant data platforms and enabling their teams to build secure and resilient software.
“[…] it is no longer capital but data that connects and drives everything […]”
Lean Security™ is a methodology to reduce risk and increase velocity for companies who are embracing digital transformation and data economies. Inspired by lean, agile, DevOps and test-driven development, Lean Security™ is used to build secure and compliant software that increases efficiency, effectiveness and resilience.
Many software development teams still treat security and compliance as separate practices, and it is not uncommon to encounter cases of “the security person who is not invited in the room” [Read Epic Failures in DevSecOps, a publication of DevSecOpsDays.com Press].
Checking security and compliance is often done at the end of the software life cycle, while business requirements are treated first. In many cases, the solution is thought to be in the infrastructure, resulting in the addition of more tools. Since being founded, New Context realized that building efficient and resilient software relies on an ecosystem: infrastructure for sure, but also people and processes. Security and compliance should not be an add-on to software development, they should be integrated into it.
This realization is what makes Lean Security™ truly different: the methodology is based on principles, practices and tactics that are infused in the ecosystem of people, processes and infrastructure that produces software.
Lean Security™ looks at the organization as an ecosystem of people, processes and infrastructure that serve the business in a digital world. The methodology then guides the organization through principles, practices and tactics that will empower it to deliver resilient, secure and compliant software.
People, Processes & Infrastructure
Successful digital businesses rely on an effective and efficient ecosystem of people, processes and infrastructure. People are often seen as the most important assets of an organization: engineering, marketing, legal, product development and many other functions all bring talents that are required in a modern, digital enterprise. Processes that are followed to not only produce software (such as DevOps, Agile, Policies and Compliance) but to also conduct business are increasingly impacted by security and compliance requirements in digital businesses. Finally, infrastructure has to be the right one to support the systems that the business needs: it must be agnostic to vendor-specific technologies and yet be secure and compliant.
Lean Security Principles: Awareness, Simplification, Automation & Measurement
The principles of Lean Security ™ have been articulated by New Context in the Lean Security™ Manifesto.
Being aware of your technical, business and regulatory environment is the first critical step to secure and reduce risk in the enterprise. Enterprise architecture is always gaining complexity, which increases both cost and risk. Simplifying and staying on top of what is really needed is paramount. As demand and constraints increase, automation is the only real answer to enterprise scale and robust security, eliminating manual errors. Finally, enterprises can only build and secure effectively if they are able to have visibility and measure their performance.
Lean Security Practices: Agile, DevOps, Security, Compliance
Under the umbrella of the principles, Lean Security™ provides a framework to drill down into proper software development. There are 4 critical practices:
- Agile: effective, collaborative and incremental software development, aligned with your business needs
- DevOps: delivery of resilient applications and services at high velocity
- Security Policy: software development needs to include security policy in architecture and deployment
- Compliance: integrated into the core of digital transformation, robust and easily auditable
Lean Security Tactics
Implementation tactics will vary depending on the type of business, security and regulatory pressure, but we have observed and implemented a set of typical ones. Culture and training are often the first mile in the ecosystem, especially when it comes to humans, and they are fundamental building blocks to ensure that the principles are fully digested by the organization. Next is fine tuning of the infrastructure and software development life cycle, keeping simplification in mind. Pipeline, monitoring and controls are critical pillars for automation to ensure that the software is not only aligned to the business needs but also resilient, secure and compliant.
Lean Security has been very effective in supporting New Context customers that operate critical infrastructure or are subject to significant governance and compliance rules. Lean Security delivers secure compliant data platforms today.