Security or Agility? An Unnecessary Choice
As they digitally transform, enterprises can become vulnerable to security risks, but some are building apps faster and increasing security simultaneously.
Increasing information security: 90%.
Increasing IT agility: 88%.
Increasing development agility: 87%.
“Going faster often means introducing security risks, while maximizing security often means slowing things down. To increase agility and security would require changing how security works within the organization.”
88% of the managers and professionals surveyed said that integrating security into DevOps is somewhat or extremely important because they want to speed app development and enhance security.
The top three dangers of operating security outside of DevOps are increased costs, longer delivery cycles and increased security risk.
49% of respondents have already integrated security into DevOps, and another 49% are completing that integration, while only 2% have no interest in doing that.
The organization’s structure prohibits integration.
The team lacks a champion for the transition.
The security pros don’t work well in a team environment.
It took too much time.
Security team resisted change.
Lacked relationship skills to integrate the teams.
The top challenge—that the transition took too long—was explored. Respondents who had not completed the challenge estimated that integration would take 7 to 11 months, but those who had completed it said it took 1 to 2 years.
Doing well at information security: 22%.
Doing well at meeting app delivery deadlines: 21%.
Doing well at lowering application risk: 21%.
Appoint a social leader to drive cultural change.
Appoint a security lead on all DevOps teams at the beginning.
Limit access, sign and encrypt everything in network using automated PKI.
Invest in automation, including certificate management, patching, vulnerability scanning, stack code analysis. Integrate and standardize.
Enterprises need both agility and security. Go too slow, and you lose out to the competition. Neglect security, and you open the enterprise to unacceptable risk.