Enterprises Sacrifice Cybersecurity for Speed
Major SecOps Reality Gap: 85% of Companies Say Practicing SecOps is a Goal While 35% Actually Do
March 15, 2018

Pete Cheslock
Threat Stack

More than half of companies (52%) admit to cutting back on security measures to meet a business deadline or objective, according to a SecOps research report released by Threat Stack.

As further evidence that companies are sacrificing security for speed, Threat Stack found that 68% of companies say their CEO demands that DevOps and security teams not do anything that slows the business down. But that pressure doesn’t just come from the corner office, as 62% of companies also admit that their operations team pushes back when asked to deploy security technology.


“Businesses have grappled with the ‘Speed or Security’ problem for years, but the emergence of SecOps practices really means that companies can achieve both,” said Brian M. Ahern, Threat Stack Chairman and CEO. “The survey findings show that the vast majority of companies are bought-in, but unfortunately, a major gap exists between the intent of practicing SecOps and the reality of their fast-growing businesses. It’s important that stakeholders across every enterprise prioritize the alignment of DevOps and security.”

The SecOps Reality Gap

The purpose and intent of SecOps is to build towards distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the required controls. Survey respondents demonstrated a clear understanding of the importance of SecOps to the overall success of their business, with 85% saying that SecOps is a goal for their organization.

Despite clear intent to implement SecOps, only 35% of respondents say SecOps is completely or mostly an established practice at their organizations, while only 18% say it’s not established at all. These numbers dwindle according to specific job roles: 25% of security professionals believe that SecOps is an established practice at their companies, while only 10% of DevOps professionals agreed.

DevOps and Security Teams Operating in Silos

To help understand the obstacles to implementing SecOps, Threat Stack’s research found that challenges are primarily centered on organizational alignment as DevOps and security teams are not routinely integrated.

■ 44% of developers are not trained in secure coding, and 42% of operations staff are not trained in basic security practices.

■ Only 40% of respondents agree that DevOps are always incorporated into security processes.

■ A security specialist is a part of only 27% of Ops teams and 18% of Dev teams.

■ When respondents were asked whether they have the ability to fix a security-related issue themselves, 44% of DevOps respondents said they rely on someone else vs. 35% of security respondents.

■ 41% of DevOps professionals rated their organizations’ ability to detect and remediate security incidents as “average” vs. 35% of security professionals.

The Cloud Security Consequences

The speed of today’s business is driving companies to capitalize on the business benefits of cloud infrastructure and automation in order to compete. Threat Stack’s survey showed that the lack of SecOps adoption impacts the security of this infrastructure, given that more than half of the participating professionals rated the security of their organizations’ cloud infrastructure and environment as average or worse.

Pete Cheslock is Sr. Director, Ops & Support, at Threat Stack

The Latest

April 24, 2018

Developers and engineering teams are under increasing pressure to release higher quality software faster. Continuous testing has proven to be central to these efforts as it helps eliminate bottlenecks and ensures that automated testing is a constant throughout the development process, not an exercise relegated to the "last mile." The value of automated testing is more evident than ever before, with nearly half the respondents reporting that management is fully committed to automated testing and with plans to increase spending, according to the recent Sauce Labs Testing Trends for 2018 report ...

April 19, 2018

As development speed has become a competitive advantage, the DevOps team has sought to enable continuous integration and continuous delivery (CI/CD). For the CI/CD process to be successful, it must be fast and efficient. Any potential roadblocks that delay any part of the process increase cycle times and slow down delivery ...

April 18, 2018

The top barriers to DevOps adoption involve stagnant organizational cultures; managing the jumble of legacy processes, IT infrastructure and newly created cloud environments; and growing software complexity that impacts application modernization initiatives ...

April 16, 2018

This is the third in a series of three blogs directed at recent EMA research on the digital war room. In this blog, we'll look at three areas that have emerged in a spotlight in and of themselves — as signs of changing times — let alone as they may impact digital war room decision making. They are the growing focus on development and agile/DevOps; the impacts of cloud; and the growing need for security and operations (SecOps) to team more effectively ...

April 12, 2018

Only 52 percent of developers using commercial or open source components in their applications update those components when a new security vulnerability is announced, according to new research conducted by Vanson Bourne for CA Veracode, part of CA Technologies. This highlights organizations' lack of security awareness and puts organizations at risk of a breach ...

April 10, 2018

For a few years now, it has seemed like agile developers and DevOps teams haven't been giving testing its proper due. One could almost picture them thinking, "So what if there's a bug, design flaw or performance issue. We'll fix it in the new version next week." Of course, this line of thinking has turned out to be a big mistake ...

April 09, 2018

Government IT professionals surveyed, as part of F5 Networks' State of Application Delivery report, made it clear they are heavily focused on building the foundation necessary for application-driven digital transformation. Around the world, government organizations are shifting towards digital government, and with that we see government organizations embracing the cloud, adopting automation and orchestration, and adjusting security strategies ...

April 05, 2018

The digital war room — physical, virtual or hybrid — is not in retreat but in fact is growing in scope to include greater participation from development and security. It's also becoming more proactive, with on average more than 30% of "major incidents" before they impacted business service performance. In this blog I'm providing a few additional highlights from the insights we got on digital war room organization and processes ...

April 04, 2018

Many development organizations rely on DevOps, Agile and Continuous Integration/Continuous Delivery (CI/CD) practices and tools to speed up application delivery. However, shorter release cycles and faster application development also mean more frequent database schema and logic changes. Though the application release process has been fast-tracked through modernization and automation, the database deployment process has been forsaken ...

April 02, 2018

As March Madness is well underway, the journey to the NCAA basketball national championship feels much like the journey many organizations are on to achieve business success through digital transformation ...

Share this