Wednesday, 1 November 2017

DevSecOps: What it takes to drive transformational change

itproportal.com

Solving the DevSecOps security gap will require organisations to provide additional training to their employees.


The digital revolution has forced businesses to change the way they deliver products or services today. Software development was often reserved for the back office, but it’s now risen to the front-lines where every missed deadline or functionality glitch ripples through the business, with the potential to have an impact on revenue and customer retention.    
Add security on top and it’s another layer of challenges for a business. Sevenin ten large companies have been impacted by a cyberattack or data breach in the last year alone, that rise in risk has put security at the top of the senior leader’s priority list. As a result, DevSecOps is increasingly being adopted to address this shift. This method builds on the well-known DevOps approach by integrating security into the development and testing cycle, creating faster, better quality and more secure applications.    
This shift fundamentally changes the roles of the development team. Gone are the days when a developer’s job was to only focus on ensuring the code was functional, and the security team was responsible for making sure the applications are secure after they were built. Now, security, development, and operations teams have to work together every step of the way so applications are built, tested and deployed faster and more secure than ever before.   
Security skills gap: Impact on business  
To compete in the growing app economy companies are trying to scale their software development at pace. According to a report by Veracode and DevOps.com, nearly 40 per cent of organisations say the hardest employees to find are all-purpose DevOps gurus with sufficient knowledge about security testing. On the IT ops side, the top two skills that are the hardest to find are vulnerability management and containerization skills.    
This ongoing skills gap could be holding many organisations back from their application delivery ambitions. Only a small fraction of respondents — about one in ten — can boast using DevOps practices from development to production across the entire organization. The majority either employ DevOps within limited teams or inconsistently across the business, while other companies are just starting their own DevOps journey within the next year. 
While in-house training would seem like an obvious fix, seven in ten developers surveyed confirmed that their organisations provide them with inadequate application security training. And many security professionals felt the same way.     
One of the main things holding organisations back from investing in training is the cost and impact on resources. Most of the well-known application security training courses can cost thousands of Pounds and require multiple days of lost time for a developer. However, continuing education for employees doesn’t have to be that invasive.  
Self-guided or e-learning training programmes are effective ways to gain new skills for the job. They allow team members to go at their own pace and fit training around their work schedule. Unfortunately, only half of respondents said they could get their companies to foot the entire bill for training.   
Investing in on-the-job training now can ensure the organisation is better prepared for future demands. Relying on graduates to arrive on the job with those skills in hand could be setting the organisation up to fail.   
Higher education: What’s missing?    
New developers or IT operations graduates aren’t learning the skills needed to thrive in today’s app-centric environment. Unfortunately, this is down to the curriculum shortcomings in formal education currently.    
The vast majority of respondents in the 2017DevSecOps Global Skills Surveysaid they were not required to complete any courses focused on security when getting their degree. This is surprising, given the growing importance of security to the survival of businesses today.     
Several academic experts involved in the study explained that today’s typical computer-science program does not tune itself to the security needs of a fast-paced IT organisation. Only one to two lecture hours are dedicated to secure design, one to two hours of defensive programming, two optional hours of network security and one hour of threats and attacks. According to one university professor, “This needs to be embedded in the curriculum from the beginning, instead of just waiting for somebody to teach a security class.”  
But it’s not just for universities and colleges to up their game, the industry needs to step up as well. The current curriculum is lacking in real-world training such as input and output coding – where most security vulnerabilities lie – and an emphasis on practical security hours versus the bare minimum they’re getting now.    
The DevSecOps survey polled 400 IT professionals globally, 64 per cent of which disclosed that the most valuable skills learned were obtained on the job, with just three per cent stating that their career-boosting skills were accrued through education. This great disparity illustrates the need for CIO’s and IT leaders to be more involved in curating the curriculum for university and colleges. It would go a long way to ensure the next generation enters the workforce with the right skills, especially as the app economy shows no signs of slowing.   
The future: Embracing a new way forward 
Tackling the DevSecOps skills shortage requires every business to undergo a mind-set shift. While the approach to implementation will certainly vary between organisations, there has to be a universal understanding that the talent deficit is a priority and impacts the entire business. That cultural change needs to come from the top, where CIO’s educate the senior team on the imperative to train-up and that permeates throughout the organisation. Also, it cannot just be focused on developers, but security and operations teams as well. Every player in the DevSecOps environment needs to have a solid understanding of security principles and DevOps for the new strategy to be truly effective.    
As a start, there are four ways CIO’s can start initiating transformational change:   
Incorporate security training at every opportunity: As seen in higher education, security cannot be a separate course for it to stick. If organisations introduce security principles into every training opportunity, employees will retain the information better, see how it’s used in real-world cases and ultimately, improve the work that’s delivered for the business.   
Applicability adds value: It doesn’t matter if the training is for developers, security or operations teams, it has to be targeted and applicable to the specific role. While every role needs to have knowledge of DevOps or security principles, there are varying degrees depending on their position and skill set. Getting a handle on the base level knowledge of each team member will ensure the organisation doesn’t waste money unnecessarily and employees get the most value out of the training.   
Invest in continuous education: Continuous education is a must for continuous and secure delivery of software. If organisations struggle to justify sending developers away for extended training classes, bring in application security experts to train staff on the job.
Get involved in the community: It may not be of immediate benefit to the organisations, but it’s worth encouraging the senior team or developer/security leads to get involved in higher education mentoring or advising. Whether it is through shadow days at the office, an apprentice programme, or advising on curriculum or new skills needed in the workforce – all will go a long way to ensure the next generation of graduates will be better equipped to thrive in any app-focused business.   
Solving the DevSecOps security gap will not happen overnight. Organisations need to take action now to upskill their developers, train their security teams and play an active role in nurturing future developers. It’s the only way to ensure businesses thrive and the application economy will be secure now and in the future.