SecOps reality gap: 85% say practicing SecOps is a goal, 35% actually do
More than half of companies (52 percent) admit to cutting back on security measures to meet a business deadline or objective.
Based on a survey of over 200 senior-level operations and security professionals, new research from Threat Stack explored the extent to which companies have united security principles and standards within DevOps practices.
As further evidence that companies are sacrificing security for speed, researchers found that 68 percent of companies say their CEO demands DevOps and security teams not do anything that slows the business down. But that pressure doesn’t just come from the corner office as 62 percent of companies also admit their operations team pushes back when asked to deploy security technology.
“Businesses have grappled with the ‘Speed or Security’ problem for years but the emergence of SecOps practices really means that companies can achieve both,” said Brian M. Ahern, Threat Stack Chairman and CEO. “The survey findings show that the vast majority of companies are bought-in, but unfortunately, a major gap exists between intent of practicing SecOps and the reality of their fast-growing businesses. It’s important that stakeholders across every enterprise prioritize the alignment of DevOps and security.”
The SecOps reality gap
The purpose and intent of SecOps is to build towards distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the required controls. Survey respondents demonstrated a clear understanding of the importance of SecOps to the overall success of their business, with 85 percent of respondents saying SecOps is a goal for their organization.
Despite clear intent to implement SecOps, only 35 percent of respondents say SecOps is completely or mostly an established practice at their organizations, while only 18 percent say it’s not established at all.
These numbers dwindle according to specific job roles: 25 percent of security professionals believe that SecOps is an established practice at their companies while only 10 percent of DevOps professionals agreed.
DevOps and security teams operating in silos
To help understand the obstacles to implementing SecOps, Threat Stack’s research found that challenges are primarily centered on organizational alignment as DevOps and security teams are not routinely integrated.
- Forty-four percent of developers are not trained in secure coding, and 42 percent of operations staff are not trained in basic security practices.
- Only 40 percent of respondents agree that DevOps are always incorporated into security processes.
- A security specialist is a part of only 27 percent of Ops teams and 18 percent of Dev teams.
- When respondents were asked if they have the ability to fix a security-related issue themselves, 44 percent of DevOps respondents said they rely on someone else vs. 35 percent of security respondents.
- Forty-one percent of DevOps professionals rated their organizations’ ability to detect and remediate security incidents as “average” vs. 35 percent of security professionals.
The cloud security consequences
The speed of today’s business is driving companies to capitalize on the business benefits of cloud infrastructure and automation in order to compete. Threat Stack’s survey showed that the lack of SecOps adoption impacts the security of this infrastructure, as more than half of the participating professionals rated the security of their organizations’ cloud infrastructure and environment as average or worse.