Most organizations are already using DevOps, in the process of adopting it, or are planning to integrate it into their operations. A survey by Enterprise Strategy Group (ESG) shows that 37 percent of organizations are already utilizing DevOps practices extensively while 28 percent say they are employing it on a limited basis. Around seven percent are planning to use it in the next one to two years, and 12 percent say they are interested in adopting it in the future.
However, DevOps is no longer the headliner it once was when it was introduced in the context of emerging needs. With the cyber threat landscape becoming more aggressive and rapidly evolving, organizations are forced to emphasize security in the development process. This is where DevSecOps comes in, and it needs a greater push to enable wider adoption.
The ESG study was published in June 2022 but its findings offer great insights that are still very much applicable today. The comprehensive study, which included private and public sector participants across six continents, interviewed CIOs, senior IT executives, information security managers, IT managers, and directors, as well as general IT staff to learn about their perspectives on cybersecurity technology trends and strategies. The study reveals details that can guide organizations on how to improve their DevSecOps programs toward greater and more effective adoption.
Here’s a summary of the relevant findings.
Training Reciprocation between the DevOps and Security Teams
The adoption of a new model or paradigm requires ample training to ensure effective and efficient implementation. The question is, who should be trained? Who should be prioritized in allocating resources for training? Developers are not the only ones involved in DevSecOps adoption. The security team also has a role to play.
The ESG survey shows that 77 percent of organizations agree that providing cloud and DevOps training for their security analysts and others in the security team improves their DevSecOps program. However, only 63 percent say that providing security training to their software development and DevOps teams boosts the success of their DevSecOps implementation. There is a considerable enough difference between the number of those who believe that security training for DevOps teams and cloud and DevOps training for security teams are important for DevSecOps success.
It is advisable to facilitate reciprocal training or exchange of expertise between DevOps and security teams for them to gain enough proficiency in each other’s fields. Providing the relevant training to only the DevOps or the security team is not going to be enough, especially with the rapid changes happening in the cybersecurity, cloud, and software development industries.
Meeting New Security Skills Needs as Cloud Use Increases
Around 70 percent of organizations, based on the ESG survey, admit that cloud applications and infrastructure entail new security skills. This is an important detail to highlight given the prominent role of the cloud in modern organizations. Around 94 percent of organizations are already using cloud computing solutions.
Also according to the ESG survey, 42 percent of security professionals are convinced that providing cloud security training and certification support helps improve DevSecOps programs. Around the same number of security professionals believe that organizations will have better DevSecOps programs if developers are compelled to observe security measures including secure coding best practices, the implementation of safety nets in CI/CD pipelines, and regular security checks during the development process.
DevSecOps will not be successful if it does not result in efficiently secure cloud computing. Cloud providers are responsible for the security of the cloud, not in the cloud. It is up to the DevSecOps team of an organization to make sure that the cloud apps and infrastructure they are operating in are adequately secure.
Consistent Policies in Bringing DevOps and Security Together
Nearly half or around 47 percent of the security professionals surveyed in the ESG survey think that their DevSecOps adoption can advance better with the establishment of consistent central policies for security integration with DevOps. The need for consistency and centralization may sound like an obvious requirement, but it is worth emphasizing in the age of democratization and growing preference for bespoke solutions to address challenges in different scenarios.
One of the biggest difficulties in speedily adopting DevSecOps practices is the fact that most organizations use different tools and larger organizations have multiple development teams working on different projects. It would be difficult to force everyone to operate under the same frameworks, procedures, and platforms.
However, it is possible to examine the different tools, processes, practices, and guidelines used by different teams and projects to find commonalities. There will always be areas where different teams share common best practices and solutions to problems with universal or multiple-setting applications. These should be documented and shared with everyone to help expedite processes and guide everyone into grasping DevSecOps adroitly.
Beyond the Survey
The survey figures and insights discussed above reflect the situation among organizations when it comes to DevSecOps adoption and how organizations can work around these sentiments to do better in integrating DevOps and security. Certainly, there are other sensible steps to take to improve DevSecOps further. Here’s a brief guide.
Fostering a culture of collaboration – DevSecOps requires cooperation and coordination between development, operations, and security teams. There should be open communication between these teams.
Phase-by-phase implementation – One effective way to promote DevSecOps adoption is to start with a pilot project and proceed phase by phase. This allows teams to test the DevSecOps approach on a smaller scale, demonstrate its value, and also obtain feedback from stakeholders.
Taking advantage of tools and automation – What’s great about the modern IT era is that there is an abundance of tools, platforms, or cloud-based services to address various kinds of needs. There are some for DevSecOps adoption, helping organizations streamline their processes and reduce the risk of errors. It helps to invest in relevant tools and automation solutions to simplify and standardize DevSecOps processes.
Evaluating success – Organizations should establish metrics to monitor and improve the effectiveness of DevSecOps practices. These metrics include the number of vulnerabilities identified and fixed and the time it takes to deploy new code.
Moving towards the integration of security and DevOps practices is an inevitability for many organizations facing the challenges of scarce resources and the shortage of security skills. Security and operational efficiency have to go hand in hand for organizations to become more competitive and capable of surviving the ceaseless evolution and the increasing aggressiveness of cyber attacks.
