TechInvest News

Why Culture is Key to Implementing Secure DevOps Throughout Your Organisation - TechInvest Magazine Online

DevOps is the new engine for global business growth, with the sector predicted to grow to the value of US$10.5 billion by 2024. All over the planet, organisations are becoming more responsive to changing market demands thanks to the roll-out of agile, automated development processes. Yet there are challenges apparent within the Australian market.

Cyber security remains the number one barrier to effective implementation of projects. According to a new global Trend Micro poll, an overwhelming 83 percent of IT leaders in Australia claimed that implementing DevOps initiatives would cause security concerns in their organisation.

In many cases, the answer to addressing these concerns lies not just by equipping IT security teams with the right resources, but rather the task of driving cultural change throughout the organisation. That’s the only way to overcome key challenges including IT siloes and lack of ownership, to drive lasting success.

With the rise of DevOps initiatives, paired with increasing demand in developer roles, it’s important Australian organisations overhaul/examine internal processes and nurture communication at every level of the organisation

A new frontier of transformation

DevOps is gaining traction in Australian businesses. Our research revealed that half (50%) of Australian organisations have already implemented projects, and a further 37 percent are currently in the process of doing so. In fact, more than two-thirds (69%) said that DevOps is a bigger priority than it was a year ago. Why is this the case? Largely because of the rewards on offer: everything from enhanced process efficiencies to accelerated speed of deployment.

Ironically those we spoke to also pointed to IT security improvements as a major business benefit from DevOps. Yet in getting there, they are concerned about the potential for DevOps to expose them to a greater risk of cyber-attacks and breaches.

Part of the security challenges presented by DevOps lie in the new IT architectures being used and the overwhelming need for speed and instant results. These development practices have ushered in a new era of horizontal microservices potentially updated several times each day.

Securing such a fast-changing, fluid environment can be tricky – especially if security is still viewed as reactive, perimeter-focused, slow and manually driven.

Time to nurture communication

With this in mind, it would seem as though the only thing organisations need to drive success in DevOps is improved security solutions. After all, just over half of IT leaders (55%) within Australia told us they have all the tools they need.

However, the problems go much deeper and part of the issue is an outdated perception of the IT security function. This may be perpetuated by the actions of the security team itself, as 37 percent of respondents told us security is not on board enough with the need for agile innovation and a similar number (43%) said it actually slows down the speed of DevOps.

However, the problems extend beyond the IT security department. Despite two thirds (63%) of respondents recognising that minimal security involvement in DevOps creates risk, most (73%) said they don’t always consult security teams.

What’s more, just 51 percent said their IT security department is fully equipped with the skills to secure DevOps projects. This is particularly alarming given that increased complexity of security and infrastructure was cited as the number one barrier to success.

Even more telling: we uncovered serious communication and leadership challenges among many organisations implementing DevOps. A fifth said a lack of leadership is a major barrier, 35 percent claimed they’re struggling to get buy in from senior executives and a 34 percent pointed to a lack of communication between the developer, security and operations teams.

Building with security-by-design at the forefront

As a result, it’s no surprise that just half (51%) of Australian respondents we spoke to could boast a fully formed DevOps strategy. It’s indicative perhaps of a “move fast and break things” culture in too many companies. Instead we need to replace this with a security-by-design approach: a recognition among all levels in the organisation of the need for security to be built into every part of the business, from the very start.

In reality, developers are no longer considered siloed from decision making – they’re part of the business strategy process – and this means they need to bake security and privacy into every build.

Cultural change is notoriously difficult within any organisation. But engaging board members would be a good start, particularly as this seems to be a pain point within teams implementing the day-to-day DevOps initiatives.

Each team should be given the opportunity to establish an appreciation of the challenges the other teams face, perhaps by setting common goals across teams. Creating a culture of goal-setting and performance measurement will help to evaluate the progress of initiatives and reward success.

This must be backed up by the right tools and technology, of course. Process automation can also help to reduce human error while security that is adaptive, contextual, and software-based should be prioritised.

Once security functionality is exposed as services via APIs it is easier to embed into DevOps workflows in an automated manner. In the early stages of a project at least, it may be a good idea to prioritise visibility and monitoring rather than enforcement and blocking, so that security is not seen as a drag on innovation.

A security-by-design approach will take some time to fully embed throughout an organisation and it might be beneficial to allocate budget to a new DevSecOps team. Yet it is worth it, as with DevOps, integrated security is an essential pre-requisite for success and safety.