DEVOPSdigest

The enduring approach to DevOps, ITOps, and security (SecOps) has exposed foundational cracks in the operational structure of digital businesses. The specialized organizations created to support innovation, IT performance, and the protection of business-critical infrastructure — DevOps, ITOps and security teams — are too often fragmented to the point that they create security vulnerabilities that represent significant potential business damage. Modern IT environments demand a cohesive approach comprising these most crucial teams, an approach we describe as XOps.

Unaddressed cyber hygiene is the leading cause of data loss and compromised digital business systems. A serious lapse has the potential to inflict damage to a businesses’ reputation, employees and customers. It can force substantial fines, restitution payments, IT expenses, competitive disadvantage and catastrophic business disruption.

There is a growing tension between the tasks, tempo and tools of security professionals and ITOps and DevOps teams. It's not that there isn’t an interest in organization-wide protection, it's simply not the domain of these teams. Infrastructure reliability, agility, innovation and speed to market have become at odds with security. This is a self-defeating dynamic that has had an unfortunate impact on many businesses.

To figure out where these breakdowns are most common and how different teams address them, SaltStack commissioned an independent market research firm to conduct a survey that examined the level of collaboration and communication between IT and security teams and how it impacts infrastructure security. We did this shortly before the COVID-19 outbreak became a pandemic but the recent global events and subsequent digital surge have put an even greater emphasis on the need to align ITOps, DevOps and security in support of holistic business protection.

The key findings in The State of XOps Report, Q2 2020 — Successful SecOps Teams Automate and Align provide insight into why IT security operations teams are falling short too often and how they are working together to fix it. The survey revealed that organizations using software to help IT and security alignment are three times more confident in the effectiveness of their information security efforts.

However, despite the obvious security benefits of improving team alignment, only 54 percent of security leaders say they communicate effectively with IT professionals, while only 45 percent of IT professionals agree. This apparent gap in communication was particularly prevalent among respondents working in the financial services vertical where large enterprise teams struggle to collaborate and communicate to secure digital infrastructure.

The reality is that to be truly secure, security must be a shared responsibility, starting with the development team developing secure code and applications, and continuing with the IT operations team building secure underlying infrastructure. Security teams then must either advocate security across these functions or rely on other teams to help the cause.

The reason we used XOps as an umbrella term to refer to generalized operations of IT disciplines and responsibilities, including development and security, is because organizations must focus on converging these areas of IT. Development, security, networking and cloud operations must be integrated with and supported by IT operations to be efficiently maintained, secure and reliable.

The importance of the security function, which includes regulatory compliance, cannot be underestimated or treated secondary to the functions of development and IT operations. This is even more true now that countless organizations have embraced remote and work from home policies and must mitigate the sprawl of IT assets and connectivity as a result. Factor in the recent enactment of personal privacy laws, like California's CCPA, HIPAA and PCI-DSS and Europe's GDPR, and we recognize an even stronger need for the shared approach.

The survey findings offer additional insight into communication breakdowns and how teams are working together to fix them. In companies where software is used to help IT and security teams collaborate, managers are four times more likely to say their IT and security teams communicate effectively on important tasks. Moreover, these same organizations are eight times more likely to say their IT and security teams work together, not just communicate, effectively to secure infrastructure.

But the survey also revealed two areas of undeniable alignment between security and IT professionals:

■ 70 percent of both security and IT managers say their company sacrifices data security for faster innovation.

■ Both security and IT managers reported that data protection should be prioritized over innovation, speed to market and cost.

Even though both IT and security teams agree that security is more important than innovation, we’re seeing the impact of rapid innovation with lagging security, which increases the likelihood that infrastructure misconfiguration and known vulnerabilities will open the door to risks and threats. An exploited vulnerability can lead to customer and revenue loss, regulatory violations, and diminished brand trust, which were some of the most-concerning consequences of a breach according to the survey respondents. There should be a real fear that a security exploit combined with pandemic-induced economic headwinds could be a double black swan scenario that kills a company.

Survey respondents estimated that a major data breach would cost their company roughly $707,000, on average. Security leaders pointed to a skills and talent shortage, followed by misconfigured infrastructure and unaddressed vulnerabilities, as the top contributors to risk. IT managers, on the other hand, suggested that the highest risk stems from unintentional employee leaks and endpoint attacks.

Security leaders have a point. Recent breaches point to system misconfiguration and known, unpatched vulnerabilities, particularly of public cloud and on-premises server infrastructure and databases, as the most common cause of data exposure and successful exploits. This also naturally speaks to the security skills gap prevalent in the industry.

Simply, DevOps, ITOps and security teams need force multipliers in order to secure digital infrastructure at scale. For many organizations, this can be found in the form of IT and security automation. Using automation to promote collaboration and security mindedness and to arm teams with capabilities can help overcome skills gaps, mitigate known and unknown threats and establish hardened, resilient environments that businesses can rely on in times of stress.