P RE D I C T I V E I NTELLIGEN CE
security shortcuts. One report out in
March claimed that security breaches
linked to the use of handy open source
software components have risen by 71%
over the past five years.
Time for change
With this in mind, it would seem that all
organisations need to drive success in
DevOps is improved security solutions.
After all, less than half of IT leaders
(49%) told us they have all the tools
they need. However, the problems go
much deeper. As mentioned, part of
the issue is an outdated perception
of the IT security function. This may
be perpetuated by the actions of
the security team itself – 40% of
respondents told us security is not on
board enough with the need for agile
innovation and a similar number (39%)
said it actually slows down the speed
of DevOps.
However, the problems extend beyond
the IT security department. Despite most
(72%) respondents recognising that
minimal security involvement in DevOps
creates risk, a third said they don’t
always consult security teams.
What’s more, just two-fifths (42%) said
their IT security department is fully
equipped with the skills to secure
DevOps projects. This is particularly
alarming given that increased complexity
of security and infrastructure was cited
as the number one barrier to success.
34
With DevOps,
integrated security
is an essential
pre-requisite for
success.
Even more telling, we uncovered serious
communication and leadership challenges
among many organisations implementing
DevOps. A fifth said a lack of leadership
is a major roadblock, a quarter claimed
they’re struggling to get buy in from
senior executives and an overwhelming
majority pointed to IT siloes.
Towards security-by-design
As a result, it’s no surprise that only
38% of global organisations we spoke
to could boast a fully formed DevOps
strategy. It’s indicative perhaps of a
‘move fast and break things’ culture in
too many companies.
Instead we need to replace this by one
of security-by-design – a recognition
among all levels in the organisation of
the need for security to be built into
every part of the business, from the
very start. This means not simply paying
lip service to security, but realising
its central importance as a driver of
business value, as well as risk mitigation.
Cultural change is notoriously difficult,
of course. But engaging board
members would be a good start – to
take ownership of projects and bring
together development, operations and
security teams. Each team should get an
appreciation of the day-to-day challenges
the other teams face – perhaps by
setting common goals across teams.
Creating a culture of goal-setting and
Issue 17
|
www.intelligentciso.com