Resources Blog What Does DevOps Maturity Tell Us About Security Maturity?

What Does DevOps Maturity Tell Us About Security Maturity?

In March 2018 alone, IT Governance counted 20,836,531 records leaked (and that’s only in the news!), including hacks at the NHS and the National Lottery.

There’s even one incident in which someone accidentally sent information to the wrong fax number.

Here’s a selection of other major security breaches that shook both enterprises and governments recently:

  • Equifax breach: affecting 143 million customers
  • Facebook and Google: defrauded of $100m by a rogue Lithuanian hacker
  • Deloitte: cybersecurity ‘experts’ at Deloitte had failed to adopt two-factor authentication allowing hackers access to their entire email system.
  • NSA: leaked reports of a breach in the main digital defense branch of the US government by North Korean or Russian hackers.
  • WannaCry: this ransomware infected over 230,000 computers in over 150 countries
  • NotPetya: hundreds of millions of dollars in losses caused to companies including shipping giant Maersk thanks to this ransomware

The levels of risk in play, as well as the frequency and intensity of attacks, have never been greater.

We often talk about a ‘compelling event’ that pushes enterprises into about losing a decent chunk of your market cap overnight?!

So you’d expect a rise in interest in security best practices, right?

Have all these recent breaches resulted in greater interest in security best practice?

Security at Speed and Scale

While for some this is the case, for others the security penny has not yet dropped, as the results from Sonatype’s 2018 DevSecOps Community survey make plain.

Only 45% of those without a mature DevOps practice reported heightened interest in DevSecOps practices as a result of recent high-profile breaches (compared to 73% of those with mature DevOps practices).


This suggests that for more traditional IT teams, security is less of an immediate priority. Speed is the first concern, with security still considered a last-minute, box-ticking exercise that is tacked onto the end of the software delivery lifecycle.

Equally, the survey shows that high-performing IT teams have been paying attention to tech news. Three in four recognise that the rise of security threats requires a serious response from businesses.

This suggests that DevOps practitioners are more aware of the importance of security when it comes to delivering high-quality software at speed and scale (not to mention deploying the underlying infrastructure!). It’s understood more as a central principle, rather than a nice-to-have-if-you’ve-got-time.

Still, I’m surprised the number isn’t higher! Given the stakes, it should be approaching 100%.

Cybersecurity Readiness

The survey also reveals a shocking lack of preparedness for cybersecurity attacks.

The traditional teams give themselves a lowly 3.4 out of 10, compared to a 6.3 out of 10 ranking for mature DevOps teams.

Let’s imagine the kind of company out there that these stats suggests: they rate themselves about about 3 out of 10 for cybersecurity readiness. They know they’re vulnerable. At the same time, enormous breaches at the likes of Talk Talk and Equifax haven’t really stirred that much interest in DevSecOps. Would you place your bets on such a company?

Worryingly, even the mature DevOps teams rate themselves only 6.3 out of 10. It seems that DevOps with a security mindset is not enough. Full-blown DevSecOps – in which security is a foundational principle of software delivery and considered from the word ‘go’ – is needed.

The Relationship Between DevOps and Security

Of course, the other effective way to stay competitive in tough times is to foster digital innovation. DevOps is a proven method for releasing better software, faster.

But when digital innovation at speed and scale becomes the modus operandi of a business, traditional bolt-on security practices can easily fall by the wayside as it otherwise becomes a major roadblock for deployments.

However, the statistics above taken together suggest that engaging in DevOps practices has a positive impact on how you think about security.

Firstly, they reveal the importance of security – you suddenly learn that you can’t release at speed without streamlined security and governance controls.

Secondly, they free up time and energy to dedicate to security best practices – you spend less time manually patching machines and finally have enough time to set up configuration management tools that can patch all your machines at once, for example. This, in turn, allows more time for innovation, and so the virtuous cycle continues.

Security Is Evolving

I’ve seen nearly 100 digital transformation projects at some of the world’s most highly-regulated enterprises, like Allianz, HSBC and Barclays. DevSecOps has proven to be immensely valuable in every case.


Because if security is left out of the conversation, DevOps transformation usually fails to deliver on its promise. Security is now a major pillar of software delivery. It must be a principle that is embedded across your entire software delivery pipeline! Another important reason is that security threats will continue to evolve. Enterprise security measures must follow suit. Ultimately, then, the only proper approach is the ability to be flexible and adaptable.

Finally, I encourage you to read this year’s full set of responses from the 2018 DevSecOps Community Survey here.  The results are fascinating.  

Benjamin Wootton is the Co-Founder and CTO of Contino, a global technical consultancy that helps highly-regulated enterprise organizations to deliver better software, faster, through the adoption of DevOps and cloud computing.

Written by Benjamin Wootton