Even organizations that understand the importance of cybersecurity in theory often stumble when it comes to marrying security initiatives with their development and operations processes.
We recently surveyed a group of development, operations, and security professionals, compiling our findings in this report: Bridging the Gap Between SecOps Intent and Reality. We found a huge gap between intent and reality when it comes to implementing and practicing SecOps — a term that — properly understood — refers to the integration and alignment of security with DevOps practices.
Most organizations agree that everyone should be responsible for security, but this principle is not being upheld on a day-to-day basis in many organizations. And that’s bad news for everyone.
Today, we’re examining why the vision for SecOps hasn’t become a reality at most organizations. We’re exploring specific obstacles and attitudes to spotlight what is standing in the way, even at organizations where a stronger security posture is an explicitly stated goal.
The Five Biggest Obstacles to SecOps Success
1. Willingness to Sacrifice Security for Speed
More than half of companies (52%) admit to cutting back on security measures to meet a business deadline or objective. And it’s easy to understand why companies are doing this: In today’s fast-paced, competitive world, the speed of innovation and execution is what drives the business forward, allowing it to scale and be competitive. Slowing down code reviews or deployment can mean a direct impact on the bottom line, as well as customer satisfaction. However, it’s actually a myth that employing security best practices will necessarily slow down innovation. Companies that align security with business objectives, in fact, perform better.
2. Leadership Isn’t Championing SecOps
If leadership is not on board with integrated SecOps, then it may be nearly impossible to get the rest of the company on board. According to our report, the pressure to move as quickly as possible, without considering cybersecurity ramifications, often comes from on high. Sixty-eight percent of companies stated that their CEOs demand SecOps and security teams not do anything to slow the business down. When the directive for speed starts at the very top, it’s hard to ignore — even if it means that security becomes roadkill in the process.
3. Security Remains Siloed
Despite the fact that companies want security integrated with the greater organization, this rarely happens. Most of the time, security is siloed. In fact, a security specialist is assigned to the operations team at only 27% of the organizations we surveyed, and security pros are on board with development teams in just 18% of cases. At 38% of organizations, security is a completely separate team that is only brought in “when needed.”
4. Developers Can’t Code Securely
Although not ideal, it wouldn’t be such a big deal for security to be siloed if it weren’t for the fact that 44% of developers aren’t trained to code securely. Without this basic knowledge, coding is often done without security in mind. This causes security to become a bottleneck when it must inevitably step in and intervene. This not only slows down the process, but also creates friction between these teams, making it even harder for them to cooperate.
5. Operations Doesn’t Have Security Training
A full 42% of operations staff admit that they are not trained in basic security practices, which means that they can’t configure servers securely. It also means that they don’t see deploying security as part of the configuration management process, which allows security best practices to fall by the wayside. When ops pros aren’t trained in security, there’s no way SecOps can succeed.
Overcoming Obstacles in SecOps
Although the five obstacles we’ve outlined are significant, organizations are finding ways to overcome these challenges to better match their intent with reality. Many are equipping the C-Suite with necessary knowledge, aligning security with business objectives, and closing the security and operations gap.
To learn more about what Threat Stack’s survey uncovered and how you can apply its teachings to your organization, download your copy of Bridging the Gap Between SecOps Intent and Reality.