Press Release

Coalfire Cloud Advisory Board Plots Smartest Path

October 14, 2021

Coalfire Cloud Advisory Board Plots Smartest Path to DevSecOps transformation

2021 Report Reveals Best Practices for Secure SDLC

WESTMINSTER, CO – October 14, 2021 – Cybersecurity industry pioneers recently came together to define best-practice paths to secure cloud application development and management in Coalfire’s latest Securealities research report, Smartest Path to DevSecOps Transformation.

Coalfire’s prestigious Cloud Advisory Board (CAB), consisting of some of the world’s most experienced C-level cyber leaders, along with cloud security thought leaders from Coalfire, shine a light on how competition, COVID-19, and the rapid adoption of cloud technologies are driving organizations to build software and bring products to market with novel technologies and new management styles.

Standing on the shoulders of the agile development process, the report chronicles the emerging methodology of development security operations – DevSecOps. The nature of continuous integration and development – CI/CD – has forced the final “shift left” in bringing coders and security pros working together from the very start on every project.

“In the cloud, code is embedded every step of the way from the data center to the edge of networks, across expanding attack surfaces,” said Mark Carney, chief operating officer, Coalfire. “Code is more vulnerable now, and the development process is endlessly exposed to new threats from inception to the end of every product lifecycle. In the new report, Smartest Path to DevSecOps Transformation, we make the case for embracing DevSecOps and Application Security Orchestration and Correlation (ASOC) as the new strategic development and deployment imperatives, mission-critical to business continuity, operational resilience, and privacy protection.”

The report highlights key opportunities to drive security effectiveness for leaders in application security development and management by: 

Establishing a secure development process and culture

  • Embedding security into the software development life cycle (SDLC) from the outset through several techniques, including threat modeling before writing code, using application security testing gates, and implementing secure coding standards
  • Expanding automation use cases, highlighting 20+ automation opportunities across the DevSecOps lifecycle (from real time alerting when security and functional inspections fail to collecting governance artifacts and automating traceability)
  • Enlisting AppSec champions for support and scalability
  • Building a security culture from the ground up, relying on the cultural triad (partnership, cooperation, and collaboration)

Rethinking governance, reporting, and go to market

  • Breaking the model of how CISOs report to the board, showing how security protects each product along its unique journey to the customer and leveraging executive dashboards with continuous metrics
  • Enhancing security governance by leveraging qualitative metrics in addition to the quantitative metrics that many organizations exclusively focus on today
  • Insisting on centralized accountability for security, starting at the board level
  • Highlighting the most effective tactics to tell your security story, such as re-framing “security first” messaging to “customer first” messaging

Bad actors are breaking into systems quickly and avoiding detection so frequently that it’s to the point that there’s no such thing as a product or application without a single point of failure. Despite this, “customers are coming to expect flawless security assurance and execution from their vendors and suppliers,” said John Dickson, vice president, security solution architecture, who provides the introduction to the report.

“Our report paints a best-practice picture of where the puck is going on the road to digital transformation, and how securing the CI/CD pipeline has become core to the enterprise mission.”

The comprehensive report spans:

 Contributing Author:
PreparationMark Weatherford, CSO, AlertEnterprise and CSO, National Cybersecurity Center and Board advisor to public and private organizations
The Secure Product LifecycleJerry Bell, VP and CISO, IBM Public Cloud
CultureAdrian Mayers, Dr. B.A., VP, CISO, Premera Blue Cross
AutomationMatt Sharp, CISO, Logicworks
GovernanceNils Puhlmann, CRSO, MoonPay and Co-founder, Cloud Security Alliance
Management ReportingTony Spinelli, CIO, Urban One, Inc. and Board Director, Peapack Bank, Blue Cross Blue Shield
Security as a DifferentiatorGail Coury, SVP, CISO, F5

Security requires constant innovation in line with the new maxim that IT, development, and security teams must operate together with a “defensible” mentality. “There is no such thing as a completely secure system,” said Tony Spinelli, CIO, Urban One, Inc., “If you’re not innovating within your security program you’re standing still. If you’re standing still, you’re falling behind.”

Access the full report here:

About Coalfire
The world’s leading technology infrastructure providers, SaaS companies, and enterprises – including the top-five cloud service providers and eight of the top-10 SaaS organizations – rely on Coalfire to strengthen their security posture and secure their digital transformations. As the largest firm dedicated to cybersecurity, Coalfire delivers a comprehensive suite of advisory and managed services, spanning cyber strategy and risk, cloud security, threat and vulnerability management, application security, privacy, and compliance management. A proven leader in cybersecurity for the past 20 years, Coalfire combines extensive cloud expertise, advanced technology, and innovative approaches that fuel success.

For more information, visit


For media inquiries:
Mike Gallo
(212) 239-8594