Last week the security industry put another RSA Conference in the record books. This year certainly was an interesting conference, at least for me. In addition to all of the great meetings, content, keynotes, and hallway discussions that always makes RSA so worthwhile, some associates and I had the bonus journey of learning we would not be allowed back into our Airbnb rental. All of our clothes, toiletries, and much of our work gear were under lockdown.
Fortunately, we were eventually able to convince the very courteous San Francisco police to escort us to the rental to retrieve our stuff so that we could relocate to a hotel.
Before all of that excitement, during a panel discussion following Monday’s pre-RSA DevOps Connect: DevSecOps Edition, we discussed just how difficult companies have it when it comes to integrating DevOps processes and adapting to cloud apps. This is especially true when it comes to building software and using cloud infrastructure that is secure and resilient. Many of the challenges enterprises face when moving to the cloud and integrating DevOps is learning how to bring security along for the ride, or, in many cases, how to build them in the first place.
What’s interesting is that larger companies are better at integrating security and DevOps than smaller enterprises are. Well, at least for now. In DevOps.com’s inaugural Security @ the Speed of DevOps annual survey, they surveyed 255 security IT decision makers within organizations currently practicing DevOps. As one might expect, the degree of security and compliance automation/controls varied greatly between enterprises of various sizes.
When it comes to organizational size, DevOps is not evenly distributed. More than 90% of enterprises with more than 5,000 employees have either adopted or started to embrace DevOps methodologies. Of enterprises with fewer than 501 employees, only 38% have embraced DevOps. That’s still a good number, but it clearly shows a significant opportunity for smaller businesses to improve their processes, which is absolutely necessary to remain competitive.
Another gap is security automation. Only 6.5% of organizations with less than 100 employees have incorporated automated security testing on a significant portion of their applications. The good news is that these smaller organizations are at least starting to use security automation, with about 30% saying they have automated some of their testing. Again, here we see a stark contrast between smaller and larger organizations. At least 40% of organizations with 5,000 to 10,000 employees have automated large parts of their security testing.
My prediction is that by next year’s RSA Conference, we’re going to see a significant increase in security automation investment across companies of all sizes. Those companies that haven’t started yet are going to have to start, and those who are already well down this path are going to continue to shed as many manual application and cloud security processes as they can.
Consider a report from cloud access security broker Skyhigh Networks and the Cloud Security Alliance (CSA) titled, Custom Applications and IaaS Report 2017. This report found that custom application use in the cloud has hit an all-time high, yet information security teams are aware of less than 40% of those apps. That’s not a sustainable structure. The Custom Applications and IaaS Report 2017 also found that companies are continuing to consume ever more cloud services with no sign of slowing down. Astonishingly, among those surveyed, infrastructure-as-a-service clouds hold more custom applications today than currently reside in corporate datacenters.
Indeed, in the years ahead, all organizations are going to have to embrace security automation with both arms just to survive in the cloud.