Security at the Speed of Business
By George V. Hulme
You don’t have to outrun the bear, you just need to be quicker than competitors. But in a race to survive, data protection can fall by the wayside
The name of the game for enterprise success today is to digitally transform as many business processes as you can, as fast as you can. It’s no longer good enough that new employees or contractors be provisioned for the tools and apps they need in a week. They need access on Day 1. The same with every other internal and external process: It all needs to be digital. Don’t even try to push stacks of paper in front of customers to fill out. No one has tolerance for that any more.
It’s all about streamlining processes, providing exceptional customer experience and being more agile than the competition.
Many organizations are driving these efforts forward with DevOps and more agile methodologies. Research firm IDC predicts that by 2019, 75 percent of CIOs will recognize the limitations of traditional IT and embrace a leadership approach that embodies a virtuous cycle of innovation.
What is so telling about that statistic is this: The vast majority of organizations don’t believe that their own IT organizations are currently able to support digital transformation.
One monkey-wrench thrown into the digitalizing of business today is application security. It’s incredibly difficult for security to keep up with the rapid pace of change associated with DevOps-driven digital transformation, which requires a complete overhaul of how enterprises secure their data, applications, software development, and delivery.
If all this sounds familiar, it’s because this is a decades old conundrum for enterprise application development and application security teams. In traditional development environments, security was seen as a roadblock to getting software out the door and meeting ship dates. That application security stuff? We’ll deal with it later. It’s always the tendency with nearly every aspect of security. It gets in the way. Firewalls? They hamper network traffic. Two-factor authentication? It’s a hassle and slows down logon. Application security? That pushes back ship dates and kills production bonuses.
The same is true with DevOps and continuous delivery. The tests slow things down. Especially if they are manual. And, today, still, unfortunately, too many enterprises are doing manual continuous delivery testing. Few have automated as many of the tests that they should.
Earlier this year, DevOps.com conducted a survey, Security @ the Speed of DevOps. It found, through questioning 255 security decision makers within DevOps organizations, that while DevOps is being embraced by organizations of all sizes, not all have mature security process in place.
While a full 90 percent of organizations with 5,000 to 9,999 employees report that they have adopted DevOps practices, only 38 percent of organizations with 500 or fewer employees have started DevOps or widely adopted such practices. In fact, less than 7 percent of organizations with fewer than than 100 employees have automated a considerable portion of their application security testing, while 29 percent have automated some. Among organizations with 5,000 to 10,000 employees, 38 percent have automated considerable amounts of their testing, and nearly 50 percent only some.
Most surprisingly, 80 percent of those enterprises with 10,000 or more employees have yet to automate a considerable amount of their application security testing. Fortunately, roughly half of those have plans to bring more automation to their pipelines.
Enterprises must get this right. They don’t have a choice. They can’t have their DevOps processes produce applications that are easily breached, or create more problems (through DevOps) than traditional software methods.
The consensus among most experts is that the only way to get fast and secure is to automate as much testing as possible so that it is as unobtrusive on the process as possible — and security defects are treated like any other type of defect.
Want to be fast and safe? Join me for our half-day workshop, Security at the Speed of Digital Transformation, where we’ll explore the security implications of containers and serverless architectures and answer the burning question: Does SecDevOps exist in the wild, where ops, security and dev teams have long been natural enemies? Register now!