Establishing a Scalable Collaboration Between Security and DevOps

January 28, 2021

In a recent blog post, we’ve discussed the journey many IT organizations are on to digital transformation and the trajectory they have taken in recent years. Drawing from a recent webinar run with 451 Research, part of S&P Global Market Intelligence, we looked at the cloudy future of workload deployment locations and current DevOps adoption patterns and the reality check many organizations must undertake as they look at making significant changes.

It’s with those factors in mind that we look at the impact on information security and the level up that’s required to realize effective change in an organization. Let’s take a closer look at what goes into building a collaborative environment for security and DevOps, where current gaps exist, and what challenges need to be addressed for effective adoption at scale.

The Ongoing Cloud Gap for InfoSec

The skills gap is a perpetual problem across all of IT, but for cloud implementation in particular, it’s substantial. From the research, 41% of respondents reported a skillset gap in cloud platform expertise. While this is down slightly from the 49% reported in 2019, it remains higher than any other area discussed, including digital forensics, machine learning, application security, security architecture and DevOps itself.

Q. And which skillsets are inadequately addressed at your organization today? Please select all that apply.

Base: All respondents

Source: 451 Research’s Voice of the Enterprise: Information Security, Organizational Dynamics 2019 and 2020

The result is that security teams are forced to recognize and address the gap in the cloud and working hard to catch up.

Why is it so important to address this gap? Because of persistent concerns about runaway cloud usage. When asked what top potential issues with hosted cloud solutions are most pressing for their organizations, InfoSec leaders identified the following:

Q. What are the top potential issues with hosted cloud solutions (hosted private cloud, IaaS or PaaS)? Please select up to 3.

Base: All respondents (n=199)

Source: 451 Research’s Voice of the Enterprise: Information Security, Budgets & Outlook 2020

Topping the list is the potential loss of sensitive data, followed by auditability, and compliance-related issues. More than a third of respondents noted one of these three items. They are concerned about the loss of control overall, and how to check that other work is being done, and to receive reports on it. They’re not sure if someone downloaded a copy of production for a QA environment to do better testing or even worse, download a copy of production into a dev environment to figure out a specific bug. What happens when potentially sensitive data that you are responsible for ends up somewhere outside of your control? These are the issues about which security is most concerned.

Security teams are trying to adapt what they already know in the context of supporting DevOps, and so digging into the question of where containers are run, security respondents had some interesting responses.

In 2019, nearly 60% of respondents indicated that containers run all or mostly on top of or inside VMs. In 2020, that number was roughly the same, and in both cases, twelve-month estimates put that number even higher.

Q. Where do your containers run? And where will they run in 12 months?

Base: Organization has containers in use (n=328)

Source: 451 Research’s Voice of the Enterprise: DevOps, 2H 2019 and Workloads & Key Projects 2020

The expectations for change are greater than what was actually accomplished in 2019 and likely what we’ll see in 2020.

Another important question that speaks to how DevOps and security are working together is where or how many workloads are deploying with proper security defined.

Q. Approximately what percentage of your DevOps workflow implementations include security elements? 

Base: Organization uses DevOps at some level, abbreviated fielding (Note: Base sizes below n=30 should be interpreted anecdotally)

Source: 451 Research’s Voice of the Enterprise: DevOps, Workloads & Key Projects 2020

What this shows is that only 22% of respondents deployed 90% or more of their workloads with security. When asked in turn the impact that DevOps experience has on these numbers, they increase substantially with 46% indicating that they deploy with security more than 90% of the time. Collaboration leads to substantially greater coordination and improved results.

Organizational and Strategic Implications

Securing modern architectures is a collaborative effort. To overcome these cloud issues and effectively scale, it’s important to address that collaboration, starting with culture changes that emphasize its importance between stakeholders. Other priorities include:

  • Reviewing and reassigning risk management
  • Recognizing the distributed nature of work
  • Recognizing operational model with a different tempo
  • New technology choices across the stack

What does this ultimately mean for InfoSec teams? It repositions security as a support function across transformational efforts with subject matter expertise that should be drawn on where needed at every stage of the process. It’s vital to recognize the distributed nature of the work and how things are moving that much faster in 2021 than even a few years ago. While this definitely has an impact on decisions related to technology choices on your stack, that’s only a small part of it. It’s also part of a much bigger cultural conversation.

By adopting DevOps processes, security work can be made far more interesting, increasingly responsive to the rapidly changing needs of an organization. The result is improved communications for planned work, enablement advice and escalation for threat modeling and incident response, and improved embedding of security functionality within pipelines and environments. Who doesn’t want to be a trusted and respected advisor that other departments look to for insights and not be constantly dealing with the manual toil long associated with security roles?

That means safe platform designs, compliance functions, implementation of shared libraries and services, and observability and security tie-ins where they make sense.

Taking the Next Step

It’s critical to think about how you can invent security in the flow of work that’s being conducted. How can the secure way become the easy way? This means evaluating the critical workflows to make sure that the business can run and grow as needed and that security is fully aligned with those workflows.

This requires people coming from both sides of the aisle. Security needs to be open to these changes, letting go of some elements and embracing a change in role, while DevOps needs to understand where security is coming from and what they are trying to accomplish. By fully understanding the relationship between both sides, facilitating greater collaboration, and improving the workflow, the organizational impact can be substantial.

Watch the full replay of Divided We Fail: How Security Teams Can Better Engage With DevOps to learn more about the relationship between DevOps and security teams and how existing and developing digital transformation efforts impact that relationship.