Brought to you by Cisco AppDynamics
By Joe Byrne, CTO Advisor, Cisco AppDynamics
The last three years have seen massive changes within IT departments, with technologists being asked to deliver digital transformation at breakneck speeds in response to the pandemic.
Applications have been developed and released at a velocity which was previously unimaginable, as organisations have pivoted to meet changing customer needs and enable remote and hybrid work for employees.
One thing that hasn’t changed though, at least not in many IT departments, is the siloed way of working within different disciplines. Developer and security teams continue to operate very separately, often with a certain amount of skepticism and distrust towards one another.
In the latest research from Cisco AppDynamics, The shift to a security approach for the full application stack, only 24 per cent of technologists claim that collaboration between ITOps and security teams currently takes place on an ongoing basis.
Unfortunately, the shortcomings of this fragmented approach are now being exposed as organisations attempt to protect their applications against increasingly sophisticated and varied cybersecurity threats.
Cloud native applications and architectures are bringing about a large expansion in attack surfaces and IT leaders need to act quickly in order to shore up their application security and avoid a calamitous security breach.
The starting point has to be a move to a DevSecOps approach, where security is integrated into the entire application lifecycle from day one. This involves new tools, processes and structures and a major cultural shift within the IT department.
IT leaders need to bring all technologists on this journey towards DevSecOps and demonstrate that security does not have to come at the expense of rapid innovation.
A siloed approach in the IT department is increasing security vulnerabilities
Significantly, the research found that the majority of technologists perceive security to be an inhibitor of innovation, more than an enabler. Indeed, security has traditionally been viewed as a largely reactive function, brought in to resolve security breaches and patch up vulnerabilities.
Many ITOps and security teams operate entirely separately. Developers often don’t seek out input from security colleagues because they fear it will slow release velocity. They only collaborate when a potential issue is identified – which is often too late to prevent it impacting end users.
But this siloed approach is now becoming problematic and potentially extremely damaging. As organisations have shifted to modern application stacks, building more dynamic applications using low-code and no-code platforms, they have seen a sudden expansion in attack surfaces.
Widespread adoption of multi-cloud environments means that application components are increasingly running on a mix of platforms and on-premise databases, and this is exposing visibility gaps and heightening the risk of a security event.
Indeed, 81 per cent of technologists in Singapore point to the lack of a shared vision between application development and security teams as presenting a challenge to application security over the next 12 months.
DevSecOps can ease tensions in the IT department and bolster application security
Faced with this escalating challenge, IT leaders are recognising a need for much closer collaboration between developer and security teams and a more proactive approach to application security.
DevSecOps brings together ITOps and SecOps teams so that application security and compliance testing are incorporated into every stage of the application lifecycle, from planning through to shipping.
By taking this approach, developers can embed robust security into every line of code, resulting in more secure applications and easier security management, before, during and after release.
IT departments can avoid the current situation where security vulnerabilities are only addressed at the last minute before launch or identified after the application has already been released.
By incorporating security testing from the outset of the development process, security teams can analyse and assess security risks and priorities during planning phases to lay the foundation for smooth development.
Encouragingly, rather than being resistant to this change, most technologists are keen to embrace DevSecOps. They acknowledge that a DevSecOps approach is now essential for organisations to effectively protect against a multi-staged security attack on the full application stack.
What’s more, at a personal level, technologists are eager to work in a more collaborative way and to operate alongside technologists from other disciplines.
They rightly view DevSecOps as a good opportunity to learn new skill sets and expand their knowledge to become more rounded IT professionals.
Ultimately, technologists in Singapore are tired of silos and suspicion within the IT department – 75 per cent report that tensions between application and security teams would make them consider moving jobs.
Ultimately, IT leaders need to demonstrate to technologists how DevSecOps can make security an accelerator for innovation, rather than a barrier. And how it can help to ease the pressure and relentless firefighting that is engulfing many IT departments in the wake of new application security threats.
The shift to DevSecOps requires new mindsets and behavioural change right across the IT department, and IT leaders need to ensure that technologists are equipped with the right tools, insights and skills to make the transition.
