Why we need to merge DevOps and cyber security

Cyber attacks are rising in frequency, complexity and impact as savvy attackers take advantage of security risks to infiltrate enterprise infrastructure.

In Australia, we’ve seen an influx in attacks despite the country’s seemingly removed position from the rest of the world. Telstra’s latest Security Report found that two-thirds of Australian companies surveyed had been the victim of a security breach in the past year. What’s more, Australian businesses lost over $7.2 million to email scams in 2018 according to the Australian Competition and Consumer Commission (ACCC).

As cyber risk continues to grow, DevSecOps will move from ‘buzzword’ to ‘business imperative’ as businesses look to build up their digital defence.

Why should businesses marry DevOps and cyber security?

Success in our growing digital economy is very much tied to how quickly organisations can move and bring things to market, a vital part of which includes implementing a DevOps culture and platform.

Organisations also need to ensure their teams can quickly respond to business needs. Joining development (Dev) and IT operations (Ops), as well as a platform that allows developers to deploy the code they build, improves business scalability and innovation. It also facilitates a culture that encourages collaboration, communication and joint responsibility for the success of software delivery.

The threat landscape is evolving, however, and moving at breakneck speed. With more connected devices and new working conditions, such as remote working, it’s becoming increasingly challenging to define the boundaries of an organisation.

Organisations can no longer depend on current reactive approaches to cyber security. They will need to take a ‘secure by default’ posture, integrating cyber security right from the start. To balance technology and risk mitigation, organisations must consider a DevSecOps strategy that combines DevOps with cloud-native security principles.

And we’re already starting to see more organisations amending their business priorities to include cyber-security strategies. In fact, NSW deputy premier and minister for industry and trade John Barilaro recently said Australia’s cyber-security industry is expected to triple over the next 10 years, with revenues soaring from $2 billion to $6 billion by 2026.

How to measure cloud-native security

A successful DevOps strategy includes several facets that impact the culture, process and tooling in an organisation – a DevSecOps approach is no different.

Making security intrinsic across all processes within the organisation will see the DevOps and security teams working closer than ever before. The challenge, however, will be in keeping security teams from falling behind the speed of business that today’s market demands as companies look to become more agile and reduce the time it takes to bring new products and features to market to keep up with competitors.

The adoption of DevSecOps methodologies will depend upon creating a culture that fosters cross-team collaboration and innovation. As with other new processes, organisations will need to set outcomes and metrics – driven by security – to ensure all teams are aligned on cyber-security goals. Metrics can include security flow, resilience and risk reduction.

These metrics include factors like increasing the speed at which the organisation can fix problems, such as the time it takes to patch services or improving the time spent on coding and testing, as well as improving its capacity to respond and recover while also reducing the risk that matters at the source.

Security must be at the forefront of the business agenda

Thinking of security in an outcome-driven way will help organisations determine the metrics they would like to improve upon. Consider, for example, whether the organisation needs more automation or perhaps more upfront testing. Thinking in terms of outcomes will, in turn, impact how organisations articulate their cyber-security processes and goals that all teams should be collectively working towards.

An organisation’s culture plays a key role in enabling it to successfully adopt DevSecOps methodologies and become Agile. Just as we see with DevOps, whereby developers and operations teams work closely together, security should not be siloed.

In today’s enterprise, security is everybody’s responsibility. A common, collaborative mindset across teams will support the agility that both the business and the modern cyber risk environment demand. Is your business prepared?

Sachin Shridhar is VP of services and customer success at Pivotal APJ.