DevSecOps is becoming a major player in Cyber Security. Here's why...
British Airways’ record-breaking fine following a 2018 data leak confirms cyber security as a very real threat to business and one which must become central to smart hiring strategies for those wishing to avoid the devastating consequences of addressing security weaknesses after an attack.
Growing demands for enhanced efficiency and quality in product development have altered the IT landscape over the last decade, with DevOps environments adopted as the norm. A merging of the previously separate Development and Operations functions, DevOps sees the processes between software development and IT teams automated in a collaborative culture, enabling faster and more reliable build and release processes for software. As well as a change in working practices, this also brings a cultural shift and improves trust amongst teams, in turn creating an environment in which ideas can be shared freely and problems solved rapidly.
Whilst clearly a huge improvement to working practices, DevOps environments still operate independently of security testing, which is implemented towards the end of the development process. With each major cyber attack, it becomes more apparent that this approach of security-as-afterthought is neither fast nor secure enough to tackle today’s cyber threats; wherever DevOps teams and cyber security specialists work separately, value and speed are lost with the too-late discovery that something is not, in fact, secure.
The need for enhanced security has led to a gradual shift towards new cyber security practices: DevSecOps. A logical evolution of existing DevOps and security practices, the aim is to eradicate room for human error by automating testing and implementation of security from the start of the development process. By ‘baking in’ security and creating an awareness of best practices, DevSecOps inherently heightens efficiency, avoiding costly errors and retroactive patches.
We caught up with our DevSecOps recruitment specialist, James, to learn more about the trend and the challenges associated with integrating a newly defined role into more traditional businesses.
First of all, why is DevSecOps so important, and where does it differ from DevOps?
DevSecOps is an organic development of DevOps, rather than a standalone methodology. Where historically security has been separate to the development process, the movement now is towards embedding security into the traditional DevOps functionalities of automation and monitoring. Inserting security from the beginning without slowing down the DevOps pipeline creates an output of highly efficient and saleable products. Industry is placing a spotlight on security; by investing in DevSecOps, companies develop more trustworthy products and give their customers peace of mind, as well as minimising the chance of discovering costly security issues late in the development process.
For businesses who have successfully implemented DevOps, DevSecOps is a logical step towards future-proofing your business and building trust with customers, as well as slashing overheads, reducing headcount and increasing output.
Should everybody be rushing out to hire a DevSecOps expert?
Not necessarily. Finding an existing DevSecOps specialist is rare as it is a highly specialised, niche role and very much a candidates’ market right now; a LinkedIn search for DevSecOps in the UK only turns up 135 people who have that job title! But that’s not to say that there aren’t a huge number of DevOps engineers out there also working with security automation tooling who are more than qualified to make the move.
If you are interested in developing DevSecOps, the first thing to consider is your culture and methodologies. If you have an established or even emerging DevOps team, and there are security experts in your business, look to introduce DevSecOps by pooling their knowledge in the first instance. Assessing your existing capabilities and making mindset changes within your teams is often a good first step. If there really is a knowledge gap or lack of resource internally, that’s when you could consider looking externally for talent or training opportunities to upskill your team.
For companies yet to successfully implement DevOps, if development and operations are struggling to collaborate, adding security into the mix is likely a bridge too far. The problem lies in the fact that teams who have not historically collaborated need to be totally transparent as they learn together, and that requires an environment which encourages change and growth. Hiring a DevSecOps specialist into a team who are not ready for that could be a costly mistake as they are unlikely to make a difference or last in that role.
What is the benefit for businesses investing in a DevSecOps strategy?
A 2018 logz.io survey revealed that only 24% of IT professionals have put the practice in place, but for those that have successfully implemented DevSecOps, there is already a demonstrable return on investment, including speed to market and customer satisfaction, along with a huge reduction in retroactive security fixes.
Key areas in which ROI is evident include:
- Increased speed to market: faster build time, fewer bugs, and no last-minute surprises.
- Reduced number of tickets raised by customers: less human resource and lower headcounts.
- Preferred supplier status with customers due to confidence in security, especially where competitors are yet to adopt DevSecOps.
- Increased Net Promoter Score (NPS) building trust and loyalty.
- Higher client retention rates and increased revenues.
The overall message is that correctly implemented DevSecOps processes will save you time and money, maximising client retention and revenues.
What advice would you give to anybody exploring DevSecOps right now?
For businesses looking to implement DevSecOps I would say that investing in the right people to develop your strategy is incredibly important for the future of cyber security, but that doesn’t necessarily mean looking elsewhere. Changes in the industry and emerging trends are always great opportunities for learning and development alongside internal mobility, so asses your own strengths first.
For candidates: don’t be put off by not having ‘DevSecOps’ as a line on your CV. You likely have the experience needed if you have a combination of DevOps and security experience, with a willingness to learn and develop in a highly collaborative culture.
- 1. Internal culture is crucial to successful DevOps and DevSecOps strategies. If your teams are struggling to collaborate, it is time to be looking at why and addressing your working practices. With security at the forefront of business and purchasing decisions, it is so important that you are demonstrably incorporating security into your development cycles.
- Rather than rushing out to hire a specialist, conduct a sanity check internally. Often the skills are already present in-house, or else there is potential to upskill existing employees. Afterall it is generally easier to develop existing staff than hire in a consultant to disrupt the status quo.
- Ensure buy in company wide before making any changes. If your entire business doesn’t understand the value in moving to a security-first model, it will be hard to implement DevSecOps. CISOs often face battles with their boards to impress the value of cyber security, but now is the time to really champion change and force the issue.
To find out more about a career in Cyber Security view InfoSec People's current roles or call us on 01242 507100.
James is InfoSec People's Cyber Security Recruitment Partner, and brings to the role a strong background of recruiting for highly regulated industries, including finance. This knowledge and experience makes James the perfect fit for Cyber Security, with his meticulous attention to detail and deep understanding of compliance meaning he finds the perfect candidate for each and every role.