Sign up for our newsletter - Navigating the horizon of business technology​
Technology / Cloud

Automate DevOps so you can focus on a security-first culture

Amid all the fanfare hailing the benefits of DevOps it is clear the movement to change how IT departments build, deploy and run applications is gaining momentum.  CA Technologies suggests 81% of UK companies believe agile and DevOps are “critical to successful digital transformation.”  However, as demand for DevOps approaches grows, so too does demand for relevant skills.

This is increasingly going to become a headache for IT teams as they look to use agile application development methodologies to respond to the needs of their business.   The danger is that if teams are under resourced and pressured to deliver applications it raises questions about how teams guarantee quality assurance in coding and oversight of security compliance.

Organisations commonly feel like they have to trade off between security and productivity.  That’s absolutely not the case but it needs the people shipping code and the security specialists to do some collaborative work up front.

Ben Taylor - automate devops
Ben Taylor, VP of Engineering at drie

Sadly research by Gartner last year found that only 20% of enterprise security architects had properly engaged with DevOps initiatives and the majority of IT professionals felt information security was slowing down the ability of the IT department to respond to the needs of business.

White papers from our partners

While working at HM Revenue & Customs I saw first hand how a great security team, willing to help redesign processes up front could help us to ship services which conformed to a common pattern quickly without putting users at risk.  By putting a platform and tooling in place, we saw HM Revenue & Customs take projects which would have taken 18 – 24 months and deliver them in under six weeks.

Taking a service-led approach and automating the deployment and management of cloud applications can clearly go some way to easing the burden placed on IT teams.  If security controls and processes can be embedded in the development process from the very beginning, those processes can be significantly streamlined.  More importantly, unlike security by checklist, automation ensures that the services remain secure going forward.

However, I believe this is only part of the solution. DevOps is not only disrupting how applications are built and deployed.  It is no over-statement to say that it is affecting fundamental organisational structure and culture, which also needs to be addressed if companies are to successfully adopt this approach.  For example, historically roles in the IT department appear to have been divided crudely into those that build and those that maintain systems.  There is a further separation of those that perform infosecurity roles. A report by HP last year identified that not one of the top ten Bachelor’s Computer Science programmes in the US requires students to complete a security class to graduate.

As it stands today the builders see themselves as the inspiration for organisations, understanding the business, spotting trends and quickly deploying applications that help to generate competitive advantage.

Those on the operational teams have always been perceived as having the less glamorous, but frankly essential role of keeping the lights on.  In the future CIOs and IT departments need to break down these silos and that requires a significant change in culture, as well as evolving the core skills required in the IT department.  It will have to include hiring people who still have strong technical expertise, but also have a number of other competencies, not traditionally associated with IT professionals.

Andrew Horne, CEB, says the IT industry has recognised the need to change.  He talks about a 20% increase in IT job descriptions seeking candidates with multiple areas of technical expertise combined with competences such as influencing, relationship management and communicating.  He has also seen a 30% increase in the need for “learning agility.”  The worry is that by his estimation only 60% of employees are proficient in this competency.  When you add this statistic to the report by the Science and Technology Select Committee that said the UK needs an additional 745,000 workers with general (never mind specialist) digital skills by the end of this year and the size of the challenge begins to take on even more significance.

Horne talks about the need for “learning agility,” but this is not something that can be developed overnight.  Certainly in time existing and new IT professionals will be able to build up the right skills, if supported by their employers, trade bodies and the education system.  Therefore today’s CIO will have to look at short-term strategies using a service-led approach to automating some of the heavy lifting around application deployment, while investing significantly in the future skills of the IT department.  Without this mix of short-term and long-term approach IT departments may continue to come unstuck over a clash of traditional and agile approaches to application deployment.
This article is from the CBROnline archive: some formatting and images may not be present.