Now more than ever before, effective cyber security requires a concerted effort across the entire enterprise. While software was once limited in both its functionality and its reach within the organization – e.g., in the occasional use of locally stored documents, spreadsheets and other programs among discrete groups – it is now inseparable from many everyday operations, in every department from IT to line-of-business. Applications such as VoIP, video conferencing and cloud storage, supported by the Internet and the cloud, have all become essential to communications and have also broadened the importance of network security as the first line of defense for this always-on connectivity.
The growing centrality of cloud-connected applications has created new security risks to enterprise data, making it vital for organizations to be able to identify any possibly suspicious activity early and often. Going to back to the collaboration we mentioned at the very beginning here, there is a clear need to include contributions from both the technical and business-oriented sides of a firm in formulating a sensible modern cyber security strategy. There is already a precedent for such heightened coordination, in the form of the increasingly popular DevOps movement that is popular among startups as well as network carriers.
DevOps and the importance of collaboration in cyber security
Can DevOps serve as a blueprint for a new approach to cyber security? Let's look at what DevOps entails and the influence it has had so far within the software field. The word "DevOps" is a portmanteau of "development" and "operations," meant to convey a close working relationship between two technical segments of an organization that would have been siloed from each other in a traditional arrangement.
Ideally, this setup allows for projects to be completed much more quickly than they would be if everyone was still operating within discrete silos. Moreover, many tools, including ones capable of tasks such as continuous integration and cloud orchestration, are billed as DevOps-ready solutions that enable greater business agility through their support for rapid development, testing and deployment. However, it is important to note that DevOps is not simply about technical tools – it is also a cultural movement promoting collaboration.
The relationship between DevOps and cloud computing is deep, with one commentator aptly likening the two of them to the classic combo of chocolate and peanut butter. Accordingly, as enterprises increasingly invest in cloud-based services, they will likely take a good, long look at DevOps as well, since it can provide the speed and iterability needed to make the most of cloud infrastructure. DevOps and cloud have a symbiotic relationship. Both can help encourage adaptability to rapidly changing project requirements.
"Cloud computing, whether inside your firewall or purchased from a service provider, is essential to success with DevOps," explained Paul Gillin in an article for CIO. "The virtual platform needs to be as fluid as the application, and deployment from development to production needs to be automatic in order to meet the demanding delivery requirements."
A 2014 survey from Puppet Labs found that organizations that had implemented DevOps had 50 percent fewer failures than ones that did not, in addition to being able to deploy code 30 times as quickly. For example, carriers like T-Mobile have taken up DevOps as a way to close the gap with larger rivals such as AT&T and Verizon. DevOps can provide the speed and efficiency that are so important for organizations with limited resources to begin with.
Applying the DevOps model to security may seem unorthodox at first glance, if only because DevOps and cyber security have sometimes been pitted against each other, as DevOps expert Gene Kim told The Wall Street Journal earlier this year. More specifically, the accelerated release cycles of DevOps culture can complicate the efforts of the security teams, which have to assess the impact of these changes on the organization's core data and IT infrastructure. But at the same time, the collaboration at the heart of DevOps could be a guide to bridging the divide between IT and everyone else when it comes to tackling common security issues.
Cyber security: Not just the IT department's job anymore
In a recent article for Procurement Leaders, Paul Teague pointed to the need for closer collaboration between IT and procurement in mitigating the risk of data breaches. The logic is straightforward: With the average consolidate cost of a security incident have risen to $3.8 million (up 23 percent since 2013), protecting data is not simply an exercise in privacy protection but one that also has far-reaching implications for the financial health of the whole enterprise.
These kinds of calls for tighter working relationships are merited, especially given the centrality of software (and cloud applications in particular) and the growing influence of consumer technology on IT, via bring-your-own-device policies. Moreover, some common cyber attacks such as spear-phishing are directed at end user assets like email accounts rather than directly at an enterprise's network infrastructure.
In this context, we can see the advantages of taking a DevOps-esque approach to cyber security, one that keeps everyone on the same page throughout the enterprise's self-improvement processes and its adjustments to new cyber threats. As Steve Hall noted for ScriptRock, the idea here is not so much putting security into DevOps, but placing DevOps into security. In practice, this entails better alignment of security with business objectives, with data protection goals implemented early on in the development of any application or service and then automated (a process staple within DevOps cultures) for easy short- and long-term management.
DevOps has been a huge boon to startups, enterprises and service providers seeking to adapt to a cloud-centric world in which popular services can be quickly rolled out to many users while still maintaining a high level of quality. Cyber security increasingly needs both this speed and attention to detail, if it is to keep up with the threats posed by denial-of-service attacks, malware and phishing. There is plenty to learn from DevOps in remaking cyber security for these new challenges.