DevSecOps trend accelerates: CIOs are changing who is responsible for cybersecurity


CIOs are remaking the IT function — no longer will security and developer teams be siloed.

Recent survey data from 451 Research, part of S&P Global Market Intelligence, and published by Elastic shows a major shift in who is using application security tools, suggesting that DevSecOps is not just an idea, but a growing reality for IT decision makers.

IT decision-makers allocated application security tools to 48% of development teams in 2020, compared to just 29% in 2015. That’s nearly a two-fold jump.

According to “The New Security Imperative for CIOs” report by 451 Research, “Opportunities abound for security to become more directly integrated into DevOps efforts, with CIOs leading the charge.” The report continues: “Security teams must become better versed in DevOps practices and tools, while DevOps pros must increasingly embrace the integration of security practices and technology.”

Protect while observing

CIOs can leverage a valuable DevSecOps resource in the form of telemetry collected from operations. Observability data gathered while assessing application and infrastructure performance and availability can double as a key resource for cybersecurity initiatives. Making strides towards integrating security with the development, deployment, and monitoring of technology — in essence, protecting while observing — offers mutual benefits to developers, security teams, and the business overall.

Developers, ops teams, and security analysts share a common pain point: too many tools and too little time. Whether the context is maintaining system uptime and availability or investigating suspected malicious activity on a network, DevOps and security teams need to work fast to identify issues and respond appropriately.

Quickly investigating an abnormality requires data that tells a complete story of what happened. Too often, these teams need to piece together the story by manually correlating and analyzing metrics, logs, and traces, losing precious time as they struggle to find root cause and sift through disparate data from multiple tools. The ideal state for both teams is automatic correlations and advanced analytics that are easy to access from a common source — maybe a single operational store for a developer or a security information and event management management (SIEM) or extended detection and response (XDR) solution for an analyst.

Imagine the potential benefits if these teams and processes were more collaborative. Observability data could add more context for security teams as they work to quickly detect and respond to threats. At the same time, developers who are cross-literate in security technology could reduce friction in development by securing from the start.

Breaking down silos and simplifying workflows across DevOps and security teams may help these professionals who rely on speed reach their objectives — and those of the business — faster. Development and continued uptime of secure, reliable technology ensures an organization can continue to serve its customers. At the same time, securing IT helps prevent the event of a data breach and all the challenges they entail, from compromise of valuable assets to potential damages to a company’s reputation.

Get the analyst’s perspective on “The New Security Imperative for CIOs.”

See the research

Identifying opportunities for DevSecOps

Technology leaders recognize the necessity of sharing the responsibility of security. “Security processes should be as fundamental to the enterprise as those for onboarding employees or designing great customer experiences,” says Nate Fick, VP of Security Strategy at Elastic.

If organizations are already taking strides towards DevSecOps in the way leaders assign tools and think about collaboration, there are ways CIOs can accelerate that progress. Pursue opportunities to:

Integrate expertise across teams. Modern development happens fast. Greater collaboration across security and DevOps teams can help ensure IT is developed securely without friction that could slow developers down. DevOps teams can become better versed in security tools and practices, and vice versa.

Unite teams under the banner of observability. Once cross-functional teams are established,

Set the tone at the top. Security is essential, full stop. Executive sponsorship is critical to spread awareness throughout an organization and receive the backing needed to put security measures in place.

With steps like these, CIOs can shepherd a trend that’s already underway from their unique vantage point in the C-Suite. By tapping into the combined power of DevOps observability and security, CIOs can help their employees be more efficient and effective while delivering a secure, reliable experience to their customers.