XOps: Harnessing the Convergence of DevOps, ITOps and SecOps Through Automation
July 30, 2020

Alex Peay
SaltStack

The enduring approach to DevOps, ITOps, and security (SecOps) has exposed foundational cracks in the operational structure of digital businesses. The specialized organizations created to support innovation, IT performance, and the protection of business-critical infrastructure — DevOps, ITOps and security teams — are too often fragmented to the point that they create security vulnerabilities that represent significant potential business damage. Modern IT environments demand a cohesive approach comprising these most crucial teams, an approach we describe as XOps.


Unaddressed cyber hygiene is the leading cause of data loss and compromised digital business systems. A serious lapse has the potential to inflict damage to a businesses’ reputation, employees and customers. It can force substantial fines, restitution payments, IT expenses, competitive disadvantage and catastrophic business disruption.

There is a growing tension between the tasks, tempo and tools of security professionals and ITOps and DevOps teams. It's not that there isn’t an interest in organization-wide protection, it's simply not the domain of these teams. Infrastructure reliability, agility, innovation and speed to market have become at odds with security. This is a self-defeating dynamic that has had an unfortunate impact on many businesses.

To figure out where these breakdowns are most common and how different teams address them, SaltStack commissioned an independent market research firm to conduct a survey that examined the level of collaboration and communication between IT and security teams and how it impacts infrastructure security. We did this shortly before the COVID-19 outbreak became a pandemic but the recent global events and subsequent digital surge have put an even greater emphasis on the need to align ITOps, DevOps and security in support of holistic business protection.

The key findings in The State of XOps Report, Q2 2020 — Successful SecOps Teams Automate and Align provide insight into why IT security operations teams are falling short too often and how they are working together to fix it. The survey revealed that organizations using software to help IT and security alignment are three times more confident in the effectiveness of their information security efforts.

However, despite the obvious security benefits of improving team alignment, only 54 percent of security leaders say they communicate effectively with IT professionals, while only 45 percent of IT professionals agree. This apparent gap in communication was particularly prevalent among respondents working in the financial services vertical where large enterprise teams struggle to collaborate and communicate to secure digital infrastructure.

The reality is that to be truly secure, security must be a shared responsibility, starting with the development team developing secure code and applications, and continuing with the IT operations team building secure underlying infrastructure. Security teams then must either advocate security across these functions or rely on other teams to help the cause.

The reason we used XOps as an umbrella term to refer to generalized operations of IT disciplines and responsibilities, including development and security, is because organizations must focus on converging these areas of IT. Development, security, networking and cloud operations must be integrated with and supported by IT operations to be efficiently maintained, secure and reliable.

The importance of the security function, which includes regulatory compliance, cannot be underestimated or treated secondary to the functions of development and IT operations. This is even more true now that countless organizations have embraced remote and work from home policies and must mitigate the sprawl of IT assets and connectivity as a result. Factor in the recent enactment of personal privacy laws, like California's CCPA, HIPAA and PCI-DSS and Europe's GDPR, and we recognize an even stronger need for the shared approach.

The survey findings offer additional insight into communication breakdowns and how teams are working together to fix them. In companies where software is used to help IT and security teams collaborate, managers are four times more likely to say their IT and security teams communicate effectively on important tasks. Moreover, these same organizations are eight times more likely to say their IT and security teams work together, not just communicate, effectively to secure infrastructure.

But the survey also revealed two areas of undeniable alignment between security and IT professionals:

■ 70 percent of both security and IT managers say their company sacrifices data security for faster innovation.

■ Both security and IT managers reported that data protection should be prioritized over innovation, speed to market and cost.

Even though both IT and security teams agree that security is more important than innovation, we’re seeing the impact of rapid innovation with lagging security, which increases the likelihood that infrastructure misconfiguration and known vulnerabilities will open the door to risks and threats. An exploited vulnerability can lead to customer and revenue loss, regulatory violations, and diminished brand trust, which were some of the most-concerning consequences of a breach according to the survey respondents. There should be a real fear that a security exploit combined with pandemic-induced economic headwinds could be a double black swan scenario that kills a company.

Survey respondents estimated that a major data breach would cost their company roughly $707,000, on average. Security leaders pointed to a skills and talent shortage, followed by misconfigured infrastructure and unaddressed vulnerabilities, as the top contributors to risk. IT managers, on the other hand, suggested that the highest risk stems from unintentional employee leaks and endpoint attacks.

Security leaders have a point. Recent breaches point to system misconfiguration and known, unpatched vulnerabilities, particularly of public cloud and on-premises server infrastructure and databases, as the most common cause of data exposure and successful exploits. This also naturally speaks to the security skills gap prevalent in the industry.

Simply, DevOps, ITOps and security teams need force multipliers in order to secure digital infrastructure at scale. For many organizations, this can be found in the form of IT and security automation. Using automation to promote collaboration and security mindedness and to arm teams with capabilities can help overcome skills gaps, mitigate known and unknown threats and establish hardened, resilient environments that businesses can rely on in times of stress.

Alex Peay is SVP of Product and Marketing at SaltStack
Share this

Industry News

February 25, 2025

Red Hat announced the general availability of Red Hat OpenShift 4.18, the latest version of the hybrid cloud application platform powered by Kubernetes.

February 25, 2025

Akamai Technologies announced a Managed Container Service designed for companies that want to deliver better experiences by running workloads closer to users, devices, and sources of data.

February 24, 2025

Couchbase announced that its Capella AI Model Services have integrated NVIDIA NIM microservices, part of the NVIDIA AI Enterprise software platform, to streamline deployment of AI-powered applications, providing enterprises a powerful solution for privately running generative (GenAI) models.

February 20, 2025

GitLab announced the general availability of GitLab Duo Self-Hosted.

February 20, 2025

Tigera announced the introduction of several new innovations to Calico, including a new Ingress Gateway capability for Calico Cloud and Calico Enterprise, and the launch of Calico Dashboards.

February 20, 2025

Copado introduced three AI-powered DevOps apps for Slack.

February 20, 2025

Gearset announced that it now supports Salesforce's Agentforce.

February 19, 2025

Sonar announced the acquisition of AutoCodeRover, an autonomous AI agent platform for software development.

February 19, 2025

Faros AI announced a collaboration with Microsoft to deliver its AI-powered platform for optimizing engineering workflows on Azure.

February 19, 2025

Apollo GraphQL announced the general availability of Apollo Connectors for REST APIs and new GraphOS platform enhancements — giving enterprises a faster, more efficient way to execute their API strategies.

February 18, 2025

Check Point® Software Technologies Ltd.(link is external) announced that its Check Point CloudGuard solution has been recognized as a Leader across three key GigaOm Radar reports: Application & API Security, Cloud Network Security, and Cloud Workload Security.

February 13, 2025

LaunchDarkly announced the private preview of Warehouse Native Experimentation, its Snowflake Native App, to offer Data Warehouse Native Experimentation.

February 13, 2025

SingleStore announced the launch of SingleStore Flow, a no-code solution designed to greatly simplify data migration and Change Data Capture (CDC).

February 13, 2025

ActiveState launched its Vulnerability Management as a Service (VMaas) offering to help organizations manage open source and accelerate secure software delivery.

February 12, 2025

Genkit for Node.js is now at version 1.0 and ready for production use.