The Critical Collaboration: Cybersecurity and DevOps
By Andrew Zola
Cybersecurity is no longer about installing firewalls and antivirus software and forgetting about it. It’s an ongoing endeavor that demands continuous attention to overcome the challenges that lie ahead. In that sense, cybersecurity in the digital age complements the DevOps approach to developing, managing and maintaining continuous delivery and quality.
However, this doesn’t seem to translate seamlessly into the real world. According to the Oracle and KPMG Cloud Threat Report 2020, as much as 92% of IT professionals stated that their organizations weren’t adequately prepared to secure public cloud services. Furthermore, the study found that cybersecurity teams were continuously playing catch-up instead of getting a step ahead of bad actors. These findings suggest that enterprises need to go through a sea change when it comes to their approach to security. While hiring cybersecurity experts will go along way to secure enterprise infrastructure, companies today have to do more.
In fact, they need to embrace what experts call DevSecOps, which entails building security as a culture with constant collaboration between security teams and developers.
The top five challenges faced by most organizations are as follows:
- Cultural shift
- App security
- Data security
- IP protections
When DevOps and cybersecurity teams closely collaborate, it’s much easier to overcome these challenges. But how do they do it? Let’s take a look.
Enabling a corporate cultural shift is easier said than done, but it’s not impossible. What makes it challenging is that most don’t understand the broader implications of a security breach. The primary objective should always be to keep threat actors out—preventing a breach of customer data while also preventing hackers from breaching your organization with data they stole from elsewhere. What many organizations lack is a broader business vision alongside technical prowess. Often, highly technical people fail to communicate the critical need for security and fail to get the necessary budget to achieve their objectives.
Subsequently, CISOs and CTOs need to strive to achieve a broader understanding of the business and develop “soft skills.” This approach will help communicate the necessary information and inspire a cultural shift throughout the organization. After all, it’s the responsibility of technology leaders to understand and communicate the current threat level and the best management strategy to fight against it.
By demonstrating how operational risk impacts overall business goals, it will be easier to get everyone in the company to buy into your security-first approach. Going forward, enterprises must evaluate their processes and ascertain if the people and processes are adequately protected. Whenever security protocols fall short, invest in the right tools and (sometimes) the right people.
Companies that embraced Microsoft’s SDLC and OWASP have incorporated app security protocols into their products for some time now. However, the same isn’t true for all technology companies, especially startups.
It’s vital to raise security awareness among development teams to start building security into the app right from the first iteration. Awareness is key to set the stage to tackle myriad technical issues involved in ensuring cybersecurity and privacy successfully.
In the same vein, data security needs to be at the forefront of all decisions. It’s critical because a data breach puts all stakeholders at risk, especially your customers.
Once user data is in the hands of bad actors, it’s most often sold on the dark web to the highest bidder. This information is then used to help fund illicit activities such as human trafficking or terrorism. So it’s natural that the penalties that follow compliance violations are also significant.
DevSecOps teams must engage in regular threat assessments, code audits, add more tests to automated processes and much more to keep sensitive data safe. When you secure customer data, you’re not only protecting them. You’re also protecting your brand.
While data breaches have become the norm, it’s not just user data that’s been stolen and sold on the dark web. Although you don’t often see it in the news, intellectual property is stolen across industries (and quite often). These types of losses are hard to quantify, but it’s safe to say that the costs are astronomical. So businesses need to spend more on enterprise security. In this scenario, the entire burden can’t be placed on DevOps or security teams. The organization as a whole, including the leadership, needs to step up, security training regularly and be alert to a cyber attack.
Once trained, your staff will be well-placed to take responsibility for their actions. While cybersecurity teams and DevOps specialists are already assigned responsibility, everyone needs to take on the obligation of keeping the company secure. All of the above will help your organization better prepare and respond to the current threat landscape, where data breaches and ransomware attacks rampant. When everyone works together, even those outside DevSecOps, it helps fortify enterprise infrastructure and helps keep your brand name out of the headlines.