How security is embeded in their dev ops processes. A lot of it is cultural.

how can you get teams of engineers building things and keep it secure ?

Why do humans not necessarily do the secure thing by default? and how do we build in to our engineering proceeses sp that the default path is the default route, and its also the most secure route

shift left is a big thing at natwest, they accept the initial friction, and train to use the tools to remove the friction so that shift left doesnt come at the expense of the right hand side

how do they make that easier?

automation and orchestration – ci/cd pipelines generate lots of oportunities for the security team – looking at containers as they are being built, checking infra as code cloud configurations (collecting data and giving recommendations)

they can then automate these recommendations and have auto failing test suites for specifoc scenarios (like automated code testing etc)

they have automatic remediation, instead of alerting and waiting on someone to do it, it should automatically address that issue (eg infra as code with a mistake in their cloud environment)

they have started to take all their infra as code, git repos, cloud deployments etc and take data from those apis to build a pickture of what the devs actually build, instead of getting them to try to explain it

they use the telemetry through the process for the auditors to manually check. they can pull compliance reports automatically for any stage at any time woth a couple of clicks etc

they have things like automated deployments for corporate desktop with ci/cd that can deploy their desktop overnight for 80k users

they use serviceNow – eg all the data flows into there and shpw it to their customers for governance (for teams within security, and for teams outside of security with similar workflows)

they want to use the built in security where available (rather than bolting on stuff) as it allows them to use compayible functions via their systems pre integrated apis