Securing DevOps: Why Culture is Key to Driving Company-Wide Success

By Greg Young, Vice President of Cybersecurity at Trend Micro

Greg Young, Vice President of Cybersecurity at Trend Micro

DevOps is the new engine for global business growth. All over the planet, organizations are becoming more responsive to changing market demands thanks to the roll-out of agile, automated development processes. Yet there are challenges. Cybersecurity remains the number one barrier to effective implementation of projects. According to a new global Trend Micro poll, an overwhelming 94% of IT leaders claimed that implementing DevOps initiatives would cause major security concerns.

In many cases, the answer lies not just by equipping IT security teams with the right resources, but in the much harder task of driving cultural change throughout the organization. That’s the only way to overcome key challenges including IT siloes and lack of ownership to drive lasting success.

Taking over the world

DevOps is everywhere. Our research revealed that more than a third (37%) of global organizations have already implemented projects, and a further 44% are currently doing so. Most (79%) said that DevOps is a bigger priority than it was a year ago. Why is this happening? Because of the rewards it offers, everything from enhanced process efficiencies to accelerated speed of deployment. Ironically, those we spoke to also pointed to IT security improvements as a major business benefit from DevOps. Yet in getting there, they are also concerned about the potential for DevOps to expose them to a greater risk of cyber-attacks and breaches.

Part of the security challenges presented by DevOps lie in the new IT architectures being used and the overwhelming need for speed. These development practices have ushered in a new era of horizontal microservices. Potentially updated several times each day, they are a long way from the monolithic, vertical applications of old, which were changed at most on a monthly basis. Securing such a fast-changing, fluid environment can be tricky – especially if security is still viewed as reactive, perimeter-focused, slow and manually driven. Often the speed-to-market imperative means developers take security shortcuts: one report out in March claimed that security breaches linked to the use of handy open source software components have risen by 71% over the past five years.

Time for change

With this in mind, it would seem like all organizations need to drive success in DevOps is improved security solutions. After all, less than half of IT leaders (49%) told us they have all the tools they need. However, the problems go much deeper. As mentioned, part of the issue is an outdated perception of the IT security function. This may be perpetuated by the actions of the security team itself: 40% of respondents told us security is not on board enough with the need for agile innovation and a similar number (39%) said it actually slows down the speed of DevOps.

However, the problems extend beyond the IT security department. Despite most (72%) respondents recognizing that minimal security involvement in DevOps creates risk, a third said they don’t always consult security teams. What’s more, just two-fifths (42%) said their IT security department is fully equipped with the skills to secure DevOps projects. This is particularly alarming given that increased complexity of security and infrastructure was cited as the number one barrier to success.

Even more telling: we uncovered serious communication and leadership challenges among many organizations implementing DevOps. A fifth said a lack of leadership is a major roadblock, a quarter claimed they’re struggling to get buy in from senior executives and an overwhelming majority pointed to IT siloes.

Towards security-by-design

As a result, it’s no surprise that only 38% of global organizations we spoke to could boast a fully formed DevOps strategy. It’s indicative perhaps of a “move fast and break things” culture in too many companies. Instead we need to replace this by one of security-by-design: a recognition among all levels in the organization of the need for security to be built into every part of the business, from the very start. This means not simply paying lip service to security but realizing its central importance as a driver of business value and risk mitigation.

Cultural change is notoriously difficult, of course, but engaging board members would be a good start – to take ownership of projects and bring together development, operations and security teams. Each team should get an appreciation of the day-to-day challenges the other teams face, perhaps by setting common goals across teams. Creating a culture of goal setting and performance measurement will help to evaluate the progress of initiatives and reward success.

This must be backed up by the right tools and technology, of course. Process automation can also help to reduce human error while security that is adaptive, contextual, and software-based should be prioritized. Once security functionality is exposed as services via APIs, it is easier to embed into DevOps workflows in an automated manner. It can enable crucial capabilities such as continuous scanning of container images for bugs and malware along with run-time protection. In the early stages of a project at least, it may be a good idea to prioritise visibility and monitoring rather than enforcement and blocking, so that security is not seen as a drag on innovation.

Security-by-design will take some time to fully embed throughout an organization and may benefit from allocating budget to a new DevSecOps team. With DevOps, integrated security is an essential pre-requisite for success. After all, brakes aren’t there to slow you down, they’re there so that you can get to your destination faster and safer.