Enterprises Sacrifice Cybersecurity for Speed
Major SecOps Reality Gap: 85% of Companies Say Practicing SecOps is a Goal While 35% Actually Do
March 15, 2018

Pete Cheslock
Threat Stack

More than half of companies (52%) admit to cutting back on security measures to meet a business deadline or objective, according to a SecOps research report released by Threat Stack.

As further evidence that companies are sacrificing security for speed, Threat Stack found that 68% of companies say their CEO demands that DevOps and security teams not do anything that slows the business down. But that pressure doesn’t just come from the corner office, as 62% of companies also admit that their operations team pushes back when asked to deploy security technology.


“Businesses have grappled with the ‘Speed or Security’ problem for years, but the emergence of SecOps practices really means that companies can achieve both,” said Brian M. Ahern, Threat Stack Chairman and CEO. “The survey findings show that the vast majority of companies are bought-in, but unfortunately, a major gap exists between the intent of practicing SecOps and the reality of their fast-growing businesses. It’s important that stakeholders across every enterprise prioritize the alignment of DevOps and security.”

The SecOps Reality Gap

The purpose and intent of SecOps is to build towards distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the required controls. Survey respondents demonstrated a clear understanding of the importance of SecOps to the overall success of their business, with 85% saying that SecOps is a goal for their organization.

Despite clear intent to implement SecOps, only 35% of respondents say SecOps is completely or mostly an established practice at their organizations, while only 18% say it’s not established at all. These numbers dwindle according to specific job roles: 25% of security professionals believe that SecOps is an established practice at their companies, while only 10% of DevOps professionals agreed.

DevOps and Security Teams Operating in Silos

To help understand the obstacles to implementing SecOps, Threat Stack’s research found that challenges are primarily centered on organizational alignment as DevOps and security teams are not routinely integrated.

■ 44% of developers are not trained in secure coding, and 42% of operations staff are not trained in basic security practices.

■ Only 40% of respondents agree that DevOps are always incorporated into security processes.

■ A security specialist is a part of only 27% of Ops teams and 18% of Dev teams.

■ When respondents were asked whether they have the ability to fix a security-related issue themselves, 44% of DevOps respondents said they rely on someone else vs. 35% of security respondents.

■ 41% of DevOps professionals rated their organizations’ ability to detect and remediate security incidents as “average” vs. 35% of security professionals.

The Cloud Security Consequences

The speed of today’s business is driving companies to capitalize on the business benefits of cloud infrastructure and automation in order to compete. Threat Stack’s survey showed that the lack of SecOps adoption impacts the security of this infrastructure, given that more than half of the participating professionals rated the security of their organizations’ cloud infrastructure and environment as average or worse.

Pete Cheslock is Sr. Director, Ops & Support, at Threat Stack

The Latest

November 15, 2018

Serverless infrastructure environments are set to become the dominant paradigm for enterprise technology deployments, according to a new report — Why the Fuss About Serverless? — released by Leading Edge Forum ...

November 14, 2018

What to automate? Which parts of the delivery process are good candidates? Which applications will benefit from automation? At first, those sound like silly questions. Automate all your repetitive processes. If you think that you'll do the same thing manually more than once, automate it. Why would you waste your creative potential and knowledge by doing things that are much better done by scripts? Yet, an average company does not adhere to that logic. Why is that? ...

November 13, 2018

I'd love to see more security automation deeply integrated into the development process. Everybody knows since the 1990s that security as an afterthought just doesn't work, yet we keep doing it. The reason, I think, is because it's very hard to automate security ...

November 09, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 5, the final installment, covers deployment and production ...

November 08, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 4 is all about security ...

November 07, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 3 covers the development environment and the infrastructure ...

November 06, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 2 covers the coding process ...

November 05, 2018

Everyone talks about automating the software development lifecycle (SDLC) but the first question should be: What should you automate? With this question in mind, DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 1 starts with by-far the most popular recommendation: Testing ...

October 31, 2018

Halloween is a time for all things spooky, but not when it comes to your mobile app experience. A poor experience can not only scare off your customers but keep them away for good ...

October 30, 2018

As organizations have embraced open source, they have become polyglot — using multiple programming languages and technology stacks to accomplish software and hardware related tasks. Enterprises are caught between the benefits provided by a polyglot environment and the complexities and challenges these environments bring. Ultimately, if the situation remains unchecked, polyglot will kill your enterprise ...

Share this