Blog Categories Application Security Cloud Security Compliance Container Security & Orchestration DevSecOps General Professional Development SOC Threat Intel Threat Stack Uncategorized Subscribe Now x Subscribe to Our Blog! DevSecOps 3 Min Read The 5 Biggest Obstacles to SecOps Success Pat Cable April 12, 2018 Even organizations that understand the importance of cybersecurity in theory often stumble when it comes to marrying security initiatives with their development and operations processes. We recently surveyed a group of development, operations, and security professionals, compiling our findings in this report: Bridging the Gap Between SecOps Intent and Reality. We found a huge gap between intent and reality when it comes to implementing and practicing SecOps — a term that — properly understood — refers to the integration and alignment of security with DevOps practices. Most organizations agree that everyone should be responsible for security, but this principle is not being upheld on a day-to-day basis in many organizations. And that’s bad news for everyone. Today, we’re examining why the vision for SecOps hasn’t become a reality at most organizations. We’re exploring specific obstacles and attitudes to spotlight what is standing in the way, even at organizations where a stronger security posture is an explicitly stated goal. The Five Biggest Obstacles to SecOps Success 1. Willingness to Sacrifice Security for Speed More than half of companies (52%) admit to cutting back on security measures to meet a business deadline or objective. And it’s easy to understand why companies are doing this: In today’s fast-paced, competitive world, the speed of innovation and execution is what drives the business forward, allowing it to scale and be competitive. Slowing down code reviews or deployment can mean a direct impact on the bottom line, as well as customer satisfaction. However, it’s actually a myth that employing security best practices will necessarily slow down innovation. Companies that align security with business objectives, in fact, perform better. 2. Leadership Isn’t Championing SecOps If leadership is not on board with integrated SecOps, then it may be nearly impossible to get the rest of the company on board. According to our report, the pressure to move as quickly as possible, without considering cybersecurity ramifications, often comes from on high. Sixty-eight percent of companies stated that their CEOs demand SecOps and security teams not do anything to slow the business down. When the directive for speed starts at the very top, it’s hard to ignore — even if it means that security becomes roadkill in the process. 3. Security Remains Siloed Despite the fact that companies want security integrated with the greater organization, this rarely happens. Most of the time, security is siloed. In fact, a security specialist is assigned to the operations team at only 27% of the organizations we surveyed, and security pros are on board with development teams in just 18% of cases. At 38% of organizations, security is a completely separate team that is only brought in “when needed.” 4. Developers Can’t Code Securely Although not ideal, it wouldn’t be such a big deal for security to be siloed if it weren’t for the fact that 44% of developers aren’t trained to code securely. Without this basic knowledge, coding is often done without security in mind. This causes security to become a bottleneck when it must inevitably step in and intervene. This not only slows down the process, but also creates friction between these teams, making it even harder for them to cooperate. 5. Operations Doesn’t Have Security Training A full 42% of operations staff admit that they are not trained in basic security practices, which means that they can’t configure servers securely. It also means that they don’t see deploying security as part of the configuration management process, which allows security best practices to fall by the wayside. When ops pros aren’t trained in security, there’s no way SecOps can succeed. Overcoming Obstacles in SecOps Although the five obstacles we’ve outlined are significant, organizations are finding ways to overcome these challenges to better match their intent with reality. Many are equipping the C-Suite with necessary knowledge, aligning security with business objectives, and closing the security and operations gap. To learn more about what Threat Stack’s survey uncovered and how you can apply its teachings to your organization, download your copy of Bridging the Gap Between SecOps Intent and Reality. Tags:Bridging the Gap Between SecOps Intent and RealityObstacles to SecOps SuccessSecOps You Might Also Like... How Threat Stack Does DevOps (Part I): Best Practices in the Wild How Threat Stack Does DevOps (Part II): Engineering for Rapid Change How Threat Stack Does DevOps (Part III): Measuring and Optimizing System Health How Threat Stack Does DevOps (Part IV): Making Engineers Accountable About Pat Cable Patrick Cable is Director of Platform Security at Threat Stack. As an infrastructure security engineer, Patrick focuses on ensuring the security of the Threat Stack Platform by collaborating with other departments, implementing security tools, and building new technology to make security easier for everyone in the organization. Prior to working at Threat Stack he was Associate Staff in the Secure and Resilient Systems Group at MIT Lincoln Laboratory where he worked on improving cloud security in research environments. View more posts by Pat Cable Request a Demo Share this Blog