XOps: Harnessing the Convergence of DevOps, ITOps and SecOps Through Automation
July 30, 2020

Alex Peay
SaltStack

The enduring approach to DevOps, ITOps, and security (SecOps) has exposed foundational cracks in the operational structure of digital businesses. The specialized organizations created to support innovation, IT performance, and the protection of business-critical infrastructure — DevOps, ITOps and security teams — are too often fragmented to the point that they create security vulnerabilities that represent significant potential business damage. Modern IT environments demand a cohesive approach comprising these most crucial teams, an approach we describe as XOps.


Unaddressed cyber hygiene is the leading cause of data loss and compromised digital business systems. A serious lapse has the potential to inflict damage to a businesses’ reputation, employees and customers. It can force substantial fines, restitution payments, IT expenses, competitive disadvantage and catastrophic business disruption.

There is a growing tension between the tasks, tempo and tools of security professionals and ITOps and DevOps teams. It's not that there isn’t an interest in organization-wide protection, it's simply not the domain of these teams. Infrastructure reliability, agility, innovation and speed to market have become at odds with security. This is a self-defeating dynamic that has had an unfortunate impact on many businesses.

To figure out where these breakdowns are most common and how different teams address them, SaltStack commissioned an independent market research firm to conduct a survey that examined the level of collaboration and communication between IT and security teams and how it impacts infrastructure security. We did this shortly before the COVID-19 outbreak became a pandemic but the recent global events and subsequent digital surge have put an even greater emphasis on the need to align ITOps, DevOps and security in support of holistic business protection.

The key findings in The State of XOps Report, Q2 2020 — Successful SecOps Teams Automate and Align provide insight into why IT security operations teams are falling short too often and how they are working together to fix it. The survey revealed that organizations using software to help IT and security alignment are three times more confident in the effectiveness of their information security efforts.

However, despite the obvious security benefits of improving team alignment, only 54 percent of security leaders say they communicate effectively with IT professionals, while only 45 percent of IT professionals agree. This apparent gap in communication was particularly prevalent among respondents working in the financial services vertical where large enterprise teams struggle to collaborate and communicate to secure digital infrastructure.

The reality is that to be truly secure, security must be a shared responsibility, starting with the development team developing secure code and applications, and continuing with the IT operations team building secure underlying infrastructure. Security teams then must either advocate security across these functions or rely on other teams to help the cause.

The reason we used XOps as an umbrella term to refer to generalized operations of IT disciplines and responsibilities, including development and security, is because organizations must focus on converging these areas of IT. Development, security, networking and cloud operations must be integrated with and supported by IT operations to be efficiently maintained, secure and reliable.

The importance of the security function, which includes regulatory compliance, cannot be underestimated or treated secondary to the functions of development and IT operations. This is even more true now that countless organizations have embraced remote and work from home policies and must mitigate the sprawl of IT assets and connectivity as a result. Factor in the recent enactment of personal privacy laws, like California's CCPA, HIPAA and PCI-DSS and Europe's GDPR, and we recognize an even stronger need for the shared approach.

The survey findings offer additional insight into communication breakdowns and how teams are working together to fix them. In companies where software is used to help IT and security teams collaborate, managers are four times more likely to say their IT and security teams communicate effectively on important tasks. Moreover, these same organizations are eight times more likely to say their IT and security teams work together, not just communicate, effectively to secure infrastructure.

But the survey also revealed two areas of undeniable alignment between security and IT professionals:

■ 70 percent of both security and IT managers say their company sacrifices data security for faster innovation.

■ Both security and IT managers reported that data protection should be prioritized over innovation, speed to market and cost.

Even though both IT and security teams agree that security is more important than innovation, we’re seeing the impact of rapid innovation with lagging security, which increases the likelihood that infrastructure misconfiguration and known vulnerabilities will open the door to risks and threats. An exploited vulnerability can lead to customer and revenue loss, regulatory violations, and diminished brand trust, which were some of the most-concerning consequences of a breach according to the survey respondents. There should be a real fear that a security exploit combined with pandemic-induced economic headwinds could be a double black swan scenario that kills a company.

Survey respondents estimated that a major data breach would cost their company roughly $707,000, on average. Security leaders pointed to a skills and talent shortage, followed by misconfigured infrastructure and unaddressed vulnerabilities, as the top contributors to risk. IT managers, on the other hand, suggested that the highest risk stems from unintentional employee leaks and endpoint attacks.

Security leaders have a point. Recent breaches point to system misconfiguration and known, unpatched vulnerabilities, particularly of public cloud and on-premises server infrastructure and databases, as the most common cause of data exposure and successful exploits. This also naturally speaks to the security skills gap prevalent in the industry.

Simply, DevOps, ITOps and security teams need force multipliers in order to secure digital infrastructure at scale. For many organizations, this can be found in the form of IT and security automation. Using automation to promote collaboration and security mindedness and to arm teams with capabilities can help overcome skills gaps, mitigate known and unknown threats and establish hardened, resilient environments that businesses can rely on in times of stress.

Alex Peay is SVP of Product and Marketing at SaltStack
Share this

Industry News

August 05, 2020

Logz.io announced a partnership with HashiCorp, a provider in multi-cloud infrastructure automation software.

August 05, 2020

Digitate, a software venture of Tata Consultancy Services, announced the release of ignio™ AI.Assurance, an autonomous assurance product that enables enterprises to deliver better software faster, enhancing their business performance.

August 05, 2020

Harness acquired self-service Continuous Integration firm Drone.io, the creator of the open-source project Drone.

August 04, 2020

Aqua Security announced that its Cloud Native Security Platform is available through Red Hat® Marketplace, an open cloud marketplace that makes it easier to discover and access certified software for container-based environments across the hybrid cloud.

August 04, 2020

Threat Stack announced the availability of Threat Stack Container Security Monitoring for AWS Fargate.

August 04, 2020

OpenLogic by Perforce now provides an enterprise-class alternative to Oracle Java by offering OpenJDK distributions backed by OpenLogic support.

August 03, 2020

MuseDev launched on Github Marketplace the Early Access version of its code analysis platform, Muse, to help developers find and fix critical security, performance, and reliability bugs, efficiently, before they reach QA or production.

August 03, 2020

Styra announced Rego Policy Builder for the Styra Declarative Authorization Service (DAS).

August 03, 2020

Felicis Ventures has invested an additional $5M in Sourcegraph, bringing the total raised to over $46M, including a $23M Series B in March 2020 led by Craft Ventures.

July 30, 2020

New Relic delivered strategic updates to New Relic One.

July 30, 2020

IT Revolution announced the DevOps Enterprise Summit Las Vegas 2020 will be going virtual.

July 30, 2020

Adaptavist announced the acquisition of Go2Group, a US technology firm specializing in Agile and DevOps services and cloud solutions for the enterprise.

July 29, 2020

Panaya announced a new partnership with Worksoft providing SAP IT organizations with a best in class Change Intelligence solution that enables SAP ECC users to migrate or optimize their system risk-free.

July 29, 2020

Splice Machine launched the Splice Machine Kubernetes Ops Center, deployed with Helm Charts.

July 29, 2020

CirrusHQ, an Amazon Web Services (AWS) Advanced Consulting and Solution Provider partner, has achieved AWS DevOps Competency Status.