Similarly, while CIOs and CISOs point out the importance of a formal security programme for development, a SecDevOps approach is only implemented in less than one company in 10 ( and under construction in just a few more). However, DevOps alone is already present in almost 80% of companies, and the experience of this transformation should serve as a springboard for wider adoption of SecDevOps.
Which of the following best describes the situation at your organization regarding the adoption of DevOps or SecDevOps program(s)? ? (respondents: IT and Security)
“Shift-Left”, a concept taking sime time to materialize
Security by Design and SecDevOps are the two approaches that best embody the concept of «shift-left», i.e. shifting the focus of security considerations upstream of projects. Involving security at the earliest possible stage and making all the players aware of their responsibilities makes it possible, on one hand, to make technical and functional choices that minimise risks (e.g. dispensing, to the extent possible, with certain personal data) and, on the other hand, to remedy without delay vulnerabilities that would be more complex (and more costly) to process later. Based on a formalised security programme implemented by the IT Department, this «shift-left» principle is one of the keys to operational excellence in cybersecurity.
However, despite the enthusiasm shown, the «shift-left» has been slow to materialise. According to Business decision-makers, who are the most optimistic on the matter, less than 4 out of 10 companies are concerned about security right from the planning phase of new projects. Only 23% of CIOs consider that it is (correctly) addressed at this stage.
To what extent is IT security embedded into new business initiatives in your organization?
This difference between the respondent groups on the early consideration of security betrays three distinct positions within the company.
Business profiles are optimistic and convinced of the merits and effectiveness of «shift-left», but they appear to neglect what remains to be done downstream to control countless and changing risks.
Realistic and pragmatic, CISOs consider that it is not necessarily relevant to talk about risks too early and that they are dealt with more effectively when the specifications are advanced enough to identify and qualify them.
Finally, CIOs could be accused of pessimism, stating that the constant evolution of the information system, technologies, uses and threats will, in any case, require them to deal with security problems after the launch.
Despite their differences, these three points of view hold some of the truth about cybersecurity. The challenge of operational excellence is to reconcile them in a formalised and coordinated approach.