The trouble with making changes to a production environment is that change can have unintended consequences. A routine software or hardware upgrade might also have unintended or unforeseen effects that cause an outage.
To address the problem, development and operations (DevOps) shepherd every proposed change through a well-defined change management process. This process takes time to complete and so when it comes to the urgency of patching a newly-discovered security vulnerability, it can put cybersecurity teams at odds with IT operations.
An unpatched hole in a high-value target is like a beacon for adversaries and sets off a race between threat actors seeking to exploit it, and security teams striving to plug it. In 2018, it took organizations an average of 38 days to patch a vulnerability which is a considerable length of time. This is often a source of friction, or in the event of a breach, finger-pointing between security and DevOps.
Evaluating the Organizational Relationship
In 2017, Gartner Research Director Jonathan Care indicated even though DevOps and cybersecurity had previously “eyed each other warily,” he now thought they had a “meeting of minds.” He surmised that things were bound to improve. Nearly two years later, some observers say the relationship has gone in the other direction and warn of a “DevOps doomsday breach.”
“The popularity of the DevOps methodology increases the number of environments where security risks are raised, undetected and unmitigated,” according to one cybersecurity prediction for 2019.
When viewpoints are on either end of the spectrum, the truth sometimes lies somewhere in the middle. As such, we decided to put this issue to a test and included a question about the relationship between cybersecurity and DevOps in a survey of security professionals.
Here’s how the answers stacked up:
- 34% indicated the relationship with DevOps is strong;
- 35% were neutral – the relationship with DevOps is neither strong nor weak;
- 27% indicated the relationship with DevOps was weak; and
- 4% were unsure.
The responses break down into near-equal thirds which seems rather lackluster. This becomes more evident when comparing it to the state of the relationship between cybersecurity and the business.
To that end, we asked a similar question about that relationship and here’s how those answers stacked up:
- 51% indicated the relationship cybersecurity has with the business is strong;
- 26% were neutral – the relationship the business is neither strong nor weak; and
- 22% indicated the relationship with the business was weak.
It seems security has a stronger relationship with the business than with DevOps. The comparison between the two reveals is that there is room for improvement. Indeed, the pace and innovation of threats in the modern cybersecurity landscape may well demand it.
What do you think? What are some ways these two important disciplines can improve the organizational relationship? We’d like to hear from you so tweet us up @BricataInc.
If you enjoyed this post, you might also like:
New Vulnerability? Begin Change Management to Patch and Start Monitoring for Exploits