The key steps for CIOs to elevate DevSecOps practices

Prashanth Nanjundappa, VP Product Development, Progress, looks deeper into whether CIOs can succeed in overcoming the barriers to making DevSecOps a reality and offers key steps that can help CIOs embed security processes to elevate their DevSecOps practices. 

As Digital Transformation continues to gather pace, CIOs are looking for new ways to empower their teams to succeed now and in the future. Since the collaborative development and operations approach DevOps extended to the concept of DevSecOps nearly 25 years ago, the idea behind it was to embed security to drive more rapid development of quality software. And never have we needed this so much as today, across all industries.

But as the challenge to release fast impressive software escalates, constant change and complexity have made DevSecOps harder to implement than initially expected. Increased collaboration demands, tooling and the agile ‘shift left’ have added to implementation requirements. Gartner’s more optimistic view is that by 2025, 70% of organisations will use infrastructure automation tools within their DevOps processes. However, the question remains whether CIOs can succeed in overcoming the barriers to making DevSecOps a reality.

The state of DevSecOps adoption

A Progress survey of IT and DevOps decision-makers globally reveals that the majority (86%) of professionals are experiencing challenges in their current approaches to security. With over half (51%) admitting they don’t fully understand how security fits into DevSecOps, it’s clear that IT teams need better education and support to adopt effective practices. 

The overwhelming consensus is that leaders are lagging in achieving their DevSecOps goals, with almost three-quarters (73%) of IT decision-makers admitting more could be done to improve their DevSecOps practices. In addition, 76% acknowledge they need to take a more strategic approach to DevSecOps management – and 17% consider themselves still at the exploratory, proof-of-concept stage.

Common barriers to DevSecOps adoption

Identifying the biggest barrier to DevSecOps success, 71% of respondents agreed that workplace culture is a roadblock to DevSecOps progress. Dev teams are often pushed to prioritise speed to market over security, experiencing challenges in keeping up with security tasks such as monitoring vulnerabilities.

Achieving RoI is also a key blocker, as the most common timeframe to derive quantifiable benefits from DevSecOps efforts was six-12 months (45%), although 31% said it had taken longer than a year. Lack of training can also be a hurdle, despite it being critical for successful DevSecOps implementation and long-term collaboration between security and development teams.

New technologies have also added to DevSecOps complexity with cloud native adoption being one of the most influential. For instance, many saw the benefits of AI and 49% had already implemented policy-as-code to save time and eliminate manual errors.

The drivers for DevSecOps adoption

The top business factors driving the adoption and evolution of DevSecOps inside their organisations include a focus on agility. Other factors include reducing the business risk of quality, security and downtime or performance issues and the need to implement DevOps to support a cloud mandate or their move to the cloud. Key drivers in DevOps adoption are infrastructure modernisation efforts, policy-as-code and cloud-native adoption.

The benefits of a DevSecOps model range from reduced risk and lower costs to faster delivery and more effective compliance. The top technology factor driving adoption was to efficiently manage cybersecurity threats and issues (57%). However, 86% experience challenges in their current approaches to security and, alarmingly, 51% admit they don’t fully understand how security fits into DevSecOps.

Key characteristics of effective DevSecOps ‘leaders’ 

Overall, the study showed that those organisations possessing a leading stance required more than one process or piece of technology. In fact, leaders had successfully invested in culture, process and technology, while continuing to identify areas of improvement for the short and long term.

A key feature of those with leading stances was the prioritisation of building a stronger culture of collaboration and training. Some (40%) recognised it was very important to implement security training and upskill developers, business owners and other teams, 30% were quite confident in the level of collaboration between security and development and 60% had identified the need to improve communication between developers, security and operations to ensure DevSecOps success.

When considering the shared characteristics of security approaches, almost half (47%) of leading stance organisations’ leaders had implemented security practices early in the development process, while 43% of leaders had achieved automated security and reliance tasks and 41% reduced the time and effort to complete a security audit.

Leaders also realised benefits between zero to six months (23%). Being able to demonstrate benefits earlier to the boardroom meant organisations could secure buy-in and further funding for better DevSecOps tooling and processes.

Key steps to elevate DevSecOps practices

Since building an organisation’s productivity and security posture is now a priority in the fast-changing digital environment, some key steps can help CIOs embed security processes to elevate their DevSecOps practices:

• Set clear roles, responsibilities and processes – Establishing ownership, roles and processes is a fundamental box to tick. Leading organisations in implementing DevSecOps were mainly able to develop a clear set of policies and procedures (66%) and to define the role and responsibilities of staff across teams (62%).
• Take a holistic approach – Prioritisation must start from leadership. Yet, many executive teams were not placing enough importance or investment into the key areas that will drive DevSecOps success. This included adopting a holistic approach to DevSecOps that engaged teams from across the organisation.
• Identify obstacles to collaboration – Identifying cross-team communication barriers can build confidence in the ability for different teams, such as security and app development, to successfully communicate and collaborate with each other. The importance of cross-functional communication cannot be understated to embed a culture of DevSecOps.
• Incorporate new technologies and processes – Cloud-native development, AI and policy-as-a-code have begun to influence DevSecOps strategy, but focusing on one area is not enough; leaders must be careful to balance modernising technology, processes and culture.
• Build confidence in securing cloud-native adoption – Cloud security is critical especially to appropriately secure workloads based on containers/Kubernetes. Making DevSecOps a boardroom discussion can include topics such as where they are in their journey and when to take the necessary steps for success.
• Invest in training – Adequate resourcing is essential in the areas which can elevate organisational outcomes, such as culture. To create real change in a DevSecOps approach, more investment is needed in continuous learning for developers and engineers as well as improved communication between developers, security and operations.
• Focus on security and automation – DevSecOps leaders are focusing on security achievements – with many being ‘quite confident’ in effective integration of security/compliance feedback into the software development process (47%), the ability to protect themselves against OWASP security risks (37%) and extending security and compliance to address mobile workloads (40%). From a development perspective, they were also mostly able to creating a continuous feedback loop (49%) and automate recurring security tasks (41%).

Following the leaders in DevSecOps

While an effective DevSecOps culture will not happen overnight, CIOs must start having honest conversations with their teams and other leaders in the organisation about where they are in their journey. Identifying this is the best way to start taking the necessary steps to elevate processes – but every organisation can always improve on its DevSecOps progress.

Although the integration of security in DevOps practices at a basic level appears to be heading in the right direction, there’s clearly work to be done, particularly with strategy, collaboration and investment in culture. In fact, the research shows only 16% of respondents are prioritising culture as an area to optimise in the next 12–18 months. Focusing on DevSecOps strategy to embed a culture of security within development is critical to long term adoption – balancing innovation with security can truly unlock business potential.