XOps: Harnessing the Convergence of DevOps, ITOps and SecOps Through Automation
July 30, 2020

Alex Peay
SaltStack

The enduring approach to DevOps, ITOps, and security (SecOps) has exposed foundational cracks in the operational structure of digital businesses. The specialized organizations created to support innovation, IT performance, and the protection of business-critical infrastructure — DevOps, ITOps and security teams — are too often fragmented to the point that they create security vulnerabilities that represent significant potential business damage. Modern IT environments demand a cohesive approach comprising these most crucial teams, an approach we describe as XOps.


Unaddressed cyber hygiene is the leading cause of data loss and compromised digital business systems. A serious lapse has the potential to inflict damage to a businesses’ reputation, employees and customers. It can force substantial fines, restitution payments, IT expenses, competitive disadvantage and catastrophic business disruption.

There is a growing tension between the tasks, tempo and tools of security professionals and ITOps and DevOps teams. It's not that there isn’t an interest in organization-wide protection, it's simply not the domain of these teams. Infrastructure reliability, agility, innovation and speed to market have become at odds with security. This is a self-defeating dynamic that has had an unfortunate impact on many businesses.

To figure out where these breakdowns are most common and how different teams address them, SaltStack commissioned an independent market research firm to conduct a survey that examined the level of collaboration and communication between IT and security teams and how it impacts infrastructure security. We did this shortly before the COVID-19 outbreak became a pandemic but the recent global events and subsequent digital surge have put an even greater emphasis on the need to align ITOps, DevOps and security in support of holistic business protection.

The key findings in The State of XOps Report, Q2 2020 — Successful SecOps Teams Automate and Align provide insight into why IT security operations teams are falling short too often and how they are working together to fix it. The survey revealed that organizations using software to help IT and security alignment are three times more confident in the effectiveness of their information security efforts.

However, despite the obvious security benefits of improving team alignment, only 54 percent of security leaders say they communicate effectively with IT professionals, while only 45 percent of IT professionals agree. This apparent gap in communication was particularly prevalent among respondents working in the financial services vertical where large enterprise teams struggle to collaborate and communicate to secure digital infrastructure.

The reality is that to be truly secure, security must be a shared responsibility, starting with the development team developing secure code and applications, and continuing with the IT operations team building secure underlying infrastructure. Security teams then must either advocate security across these functions or rely on other teams to help the cause.

The reason we used XOps as an umbrella term to refer to generalized operations of IT disciplines and responsibilities, including development and security, is because organizations must focus on converging these areas of IT. Development, security, networking and cloud operations must be integrated with and supported by IT operations to be efficiently maintained, secure and reliable.

The importance of the security function, which includes regulatory compliance, cannot be underestimated or treated secondary to the functions of development and IT operations. This is even more true now that countless organizations have embraced remote and work from home policies and must mitigate the sprawl of IT assets and connectivity as a result. Factor in the recent enactment of personal privacy laws, like California's CCPA, HIPAA and PCI-DSS and Europe's GDPR, and we recognize an even stronger need for the shared approach.

The survey findings offer additional insight into communication breakdowns and how teams are working together to fix them. In companies where software is used to help IT and security teams collaborate, managers are four times more likely to say their IT and security teams communicate effectively on important tasks. Moreover, these same organizations are eight times more likely to say their IT and security teams work together, not just communicate, effectively to secure infrastructure.

But the survey also revealed two areas of undeniable alignment between security and IT professionals:

■ 70 percent of both security and IT managers say their company sacrifices data security for faster innovation.

■ Both security and IT managers reported that data protection should be prioritized over innovation, speed to market and cost.

Even though both IT and security teams agree that security is more important than innovation, we’re seeing the impact of rapid innovation with lagging security, which increases the likelihood that infrastructure misconfiguration and known vulnerabilities will open the door to risks and threats. An exploited vulnerability can lead to customer and revenue loss, regulatory violations, and diminished brand trust, which were some of the most-concerning consequences of a breach according to the survey respondents. There should be a real fear that a security exploit combined with pandemic-induced economic headwinds could be a double black swan scenario that kills a company.

Survey respondents estimated that a major data breach would cost their company roughly $707,000, on average. Security leaders pointed to a skills and talent shortage, followed by misconfigured infrastructure and unaddressed vulnerabilities, as the top contributors to risk. IT managers, on the other hand, suggested that the highest risk stems from unintentional employee leaks and endpoint attacks.

Security leaders have a point. Recent breaches point to system misconfiguration and known, unpatched vulnerabilities, particularly of public cloud and on-premises server infrastructure and databases, as the most common cause of data exposure and successful exploits. This also naturally speaks to the security skills gap prevalent in the industry.

Simply, DevOps, ITOps and security teams need force multipliers in order to secure digital infrastructure at scale. For many organizations, this can be found in the form of IT and security automation. Using automation to promote collaboration and security mindedness and to arm teams with capabilities can help overcome skills gaps, mitigate known and unknown threats and establish hardened, resilient environments that businesses can rely on in times of stress.

Alex Peay is SVP of Product and Marketing at SaltStack
Share this

Industry News

October 29, 2020

Cisco announced new software-delivered solutions designed to simplify IT operations across on-premise data centers and multicloud environments.

October 29, 2020

Bugsnag announced availability of user stability analytics, which will help developers gain a clearer understanding of how application errors are impacting the user experience and other key performance indicators (KPIs) for the business, as well as offer insights on whether to fix bugs or build new features.

October 29, 2020

HAProxy Technologies announced an open-source release of a VMware Open Virtual Appliance (OVA) virtual machine image of the HAProxy load balancer for vSphere, which HAProxy Technologies will maintain on GitHub.

October 28, 2020

Progress announced a number of new innovations designed to facilitate adoption and at-scale deployment of Chef offerings for both new and experienced users of the DevSecOps portfolio.

October 28, 2020

StackRox announced the release of KubeLinter, its new open source static analysis tool to identify misconfigurations in Kubernetes deployments.

October 28, 2020

Vercel announced Next.js 10 featuring a number of new capabilities that accelerate frontend developers’ ability to enrich end users’ web experiences globally.

October 27, 2020

ThinkTank has released a suite of applications designed to keep distributed agile teams aligned and engaged, regardless of physical location.

October 27, 2020

Cloudify, a Service Orchestration and Automation Platform, announced its latest 5.1 product release which aims to take one step further to permanently remove silos and roadblocks that are consistently associated with migration to the public cloud.

October 27, 2020

WhiteSource announced its new native integration for Microsoft Azure DevOps services.

October 26, 2020

NetApp unveiled a new serverless and storageless solution for containers from Spot by NetApp, a new autonomous hybrid cloud volume platform, and cloud-based virtual desktop solutions.

October 26, 2020

GeneXus released GeneXus 17, a new version of its platform that empowers enterprises to create and evolve new applications at unprecedented speed.

October 26, 2020

Alcide announced the company’s security solutions are now integrated with AWS Security Hub, sending real-time threat intelligence and compliance information to Amazon Web Services (AWS) for easy consumption by Security and DevSecOps teams.

October 22, 2020

Puppet announced Puppet Comply, a new product built to work with Puppet Enterprise aimed at assessing, remediating, and enforcing infrastructure configuration compliance policies at scale across traditional and cloud environments.

October 22, 2020

Harness announced two new modules: Continuous Integration Enterprise and Continuous Features.

October 22, 2020

Render announced automatic preview environments which are essential for rapid and collaborative development of modern applications.