News

15 Years in, DevSecOps Lags, with Organizational 'Culture' to Blame

Some 15 years after becoming a thing, DevSecOps is lagging in the enterprise, primarily held back by organizational culture.

That's a main takeaway from a new survey-based research study from Progress, a company known for its developer tooling which became a major DevSecOps player with the 2020 acquisition of Chef.

Titled "DevSecOps: Simplifying Complexity in a Changing World," the report explains that while security is the No. 1 driver behind most DevOps and DevSecOps implementations, only 30 percent of respondents feel confident in the level of collaboration between security and development, the very idea behind DevSecOps. Specifically, DevSecOps is associated with development and security teams working together to bake in security functionality early in the software development process, described with the term "shift left."

Progress identified the following as three overarching findings emerging from the study:

  • DevSecOps success has been stymied by complexity and constant change
  • Effective DevSecOps requires collaboration and investment in culture
  • Desire to succeed didn't equal mastery of DevOps and DevSecOps practices

Along with a lack of confidence in dev/sec team collaboration, the report finds that many organizations are lagging in achieving their DevOps and DevSecOps goals. Specifically, 73 percent of organizations said they could be doing more, 76 percent acknowledge they need to be more strategic about how they manage DevSecOps, and 17 percent still consider themselves at an exploratory and proof-of-concept stage.

And what's to blame for all of the above? Organizational culture. The report discusses "culture" as a mix of management priorities for how security was approached when it came to DevSecOps, along with collaboration/training and communication with and investment in people.

Surprisingly, while culture was identified as a major barrier to DevSecOps implementations, respondents reported it's receiving little corporate attention.

Specifically, 71 percent of respondents agreed that culture was the biggest barrier to DevSecOps progress, but only 16 percent prioritized culture as an area they were looking to optimize in the next 12-18 months. While only about 30 percent felt of respondents were confident in the level of collaboration between security and development, 46 percent of respondents were not particularly confident and 24 percent were not at all confident.

"This lack of recognition about the importance of culture flowed directly from executive levels of leadership. Board-level directives set priorities for how security was approached when it came to DevSecOps for 19 percent of respondents. Yet those were the very organizations rated with average or below average scores for security integration," the report said.

"Additionally, only 40 percent believed implementing security training and upskilling efforts across multiple stakeholders was very important when implementing DevSecOps. This reinforced the notion that many practitioners siloed DevSecOps work within narrow teams at the very time those succeeding with it took a holistic approach to improving communication and skills cross-functionally across the organization."

Regarding training, the report said more is needed to involve stakeholders, listing the top three people-related actions needed to support a shift to more strategic DevSecOps as:

  • More investment in continuous learning for developers and engineers (61 percent)
  • Upskilling of developers and engineers to move into SRE roles (60 percent)
  • Improved communication between developers, security and operations (60 percent)

The report also found that while security was clearly a concern for every team, priority areas of concern varied, with key focus areas for security (ranked first or second) depicted in this graphic:

Key Focus Areas for Security
[Click on image for larger view.] Key Focus Areas for Security (source: Progress).

"The priority of digital marketing efforts was worth noting, as it showed the increasing importance and opinion of teams, such as marketing, in the DevSecOps workflow," Progress said. "From a collaborative point of view, the desire to improve security could be a rallying cry for improved practices and cross-team coordination at organizations seeking to advance in DevSecOps."

Other data point highlights of the report include:

  • The top business factor driving the adoption of DevSecOps was a focus on business agility via fast and frequent delivery of application capabilities (59 percent)
  • The most common timeframe to derive quantifiable benefits from DevSecOps efforts was 6-12 months (45 percent), although 31 percent said it had taken longer than a year
  • Despite security threats being the No. 1 technology factor driving the evolution of DevOps (57 percent), over half (51 percent) were only somewhat familiar with how security fit into DevSecOps
  • 39 percent of respondents had a comprehensive modernization approach based on cloud-native architecture principles, while another 22 percent felt they lacked one entirely
  • 24 percent considered their modernization approach to be largely rip-and-replace
  • 36 percent saw themselves as having a very good balance of investment across maintenance, modernization and new development efforts
  • 89 percent of new initiatives were cloud-native
  • 88 percent stated cloud-native and DevSecOps efforts were closely associated
  • 73 percent saw DevSecOps roles evolving to become CloudOps to align better with cloud-native efforts
  • 65 percent thought using artificial intelligence (AI) as part of their strategic DevSecOps approach (AIOps) held great promise in the future
  • 50 percent were familiar and interested in both infrastructure and policy-as-code
  • 59 percent said they struggled to attain buy-in/funding for re-factoring efforts that didn't provide new user capabilities
  • 27 percent were not at all confident in the accuracy of their security and compliance data
  • 18 percent were not at all confident they were protected against the OWASP top 10
  • 47 percent were not particularly confident there was an effective integration of security/compliance feedback

"Although DevSecOps is no longer the fresh-faced kid on the block, its potential to make a significant impact on the productivity and security posture of organizations has only expanded," Progress said in conclusion. It said the challenge has been to successfully navigate success blockers, including:

  • Overcoming obstacles to collaboration: There was still a lack of confidence in the ability for different teams, such as security and app development, to successfully communicate and collaborate with each other. Leadership prioritizing the importance of cross-functional communication can go a long way to address this.
  • Incorporating new technologies and processes: Cloud-native development, AI and policy-as-a-code have begun to influence DevSecOps strategy. But organizations must be careful to balance modernizing technology, processes and culture, as focusing on just one area will not be enough.
  • Conflicting areas of interest: Prioritization must start from leadership, yet many executive teams were not placing enough importance or investment into the key areas that will drive DevSecOps success. This included adopting a holistic approach to DevSecOps that engaged teams from across the organization.
  • Building confidence in securing cloud-native adoption: While organizations are making strides into appropriately securing workloads based on containers/Kubernetes, there is still work to be done. In addition to fully implementing and leveraging the benefits of cloud-first technologies, it's essential for organizations to think about cloud security.

For the report, Progress commissioned U.K. firm Insight Avenue to conduct 606 interviews with IT/security/app dev and DevOps decision-makers in organizations with more than 500 employees in 11 countries in Europe, Asia, Latin America and the United States. The purpose was to understand what was causing DevSecOps success to stall and what practices could be uncovered from those with thriving DevSecOps programs.

About the Author

David Ramel is an editor and writer for Converge360.

Featured