The past few years have required CIOs to understand what digitalization is doing to their company and their industry, and how IT teams should respond.
While these responses have varied widely, they have always involved a lot of change. This includes becoming less involved in some traditional activities because managers in the line are now comfortable with procuring their own technology and IT services, becoming far more involved in new activities because digitalization has become so fundamental to corporate strategy, and having to become more efficient at the services they do still provide because IT is now such a key part of so many company-wide initiatives, such as a new product launch, acquisition, or big change management project.
This last one is causing a headache for another part of IT, as companies embrace the use of Agile, DevOps, and other “continuous delivery” methodologies to produce IT services quicker and more efficiently. Information security teams, who themselves are no strangers to a rapidly changing work environment, are under pressure to ensure that all this activity doesn’t result in important confidential data (itself more valuable than it’s ever been) leaking out of the company – either from carelessness or criminal intent.
10 Ways Digitalization is Upending Information Security
A recent survey of around two dozen heads of information security produced a useful overview of the nature of this problem and how some of the world’s most forward-thinking teams are responding. Given that the majority of information security teams sit within the corporate IT function, this means that most of them need to change significantly their governance processes, and upgrade skills and competencies to meet the changing expectations of managers across the company.
-
Digitalization is creating new speed pressures and increased demand for information security:
-
100% of security leaders agree or strongly agree that compared to one year ago, the information security function is feeling pressure to increase the speed at which it delivers services or decisions.
-
96% of security leaders agree or strongly agree that compared to one year ago, the information security function is feeling an increased demand for its expertise and involvement.
-
-
Information security is viewed as an impediment to IT and business speed:
-
71% of security leaders agree or strongly agree that IT and line managers typically view speed goals and security goals at odds with one another.
-
For example, 1 in 5 security leaders admitted that 31%–50% of total IT/business project portfolio encountered rework because of a security (e.g., unfulfilled security requirements) in the past twelve months.
-
-
“Continuous delivery” is on the rise:
-
Half of participating organizations are currently using a continuous delivery approach (i.e., a software delivery model that releases updates as soon as a new functionality that will independently provide business value is ready) for less than 10% of their overall IT/business project portfolio.
-
However, in the next 12–18 months, 50% security leaders expect that a third or more of their overall IT/business project portfolio will be in a continuous delivery mode.
-
-
DevOps is also on the rise:
-
83% of participants reported that their overall organization is either already piloting, implementing, or scaling DevOps. DevOps refers to team structures and workflows that take advantage of automation and establish frequent collaboration between development, IT infrastructure engineering, and support teams.
-
-
Information security teams are increasingly being pulled into DevOps conversations:
-
55% of information security teams are involved or highly involved in organization-level conversations around whether or how to implement DevOps.
-
-
Static analysis scanning tools are the most popular means for automating governance:
-
More than two-thirds of security leaders reported using static application security testing (SAST) tools on at least 25% of business/IT projects or piloting the use on a smaller proportion on projects (see chart 1).
Chart 1: Please indicate the extent to which your organization is using each of the following tools n=24 information security leaders Source: 2017 CEB Information Security in the Age of Agile and DevOps Survey
-
-
“Containerization” is on the rise as majority expect speed and application security benefits:
-
Nearly 60% of security leaders are using containers on at least 25% of business/IT projects or piloting the use on a smaller proportion on projects.
-
46% of security leaders believe containerization improves both delivery speed and application security.
-
-
Microservices are key to enabling security governance automation in the future:
-
58% are using security microservices on at least 25% of their projects or piloting the use on a smaller proportion on projects. Another 38% have plans to use microservices in the next 12–18 months.
-
-
Authentication and access management is the most commonly offered security microservice:
Chart 2: Which security microservices are available to your developers? n=17 information security leaders (those without security microservices were excluded from calculations) Source: 2017 CEB Information Security in the Age of Agile and DevOps Survey
Note: Percentages will exceed 100 since participants could select multiple options.
-
Talent is the primary barrier to automating governance:
-
71% of information security leaders reported not having enough full-time employees to set up and manage the solutions needed to enable automating security governance. And 33% cited lack of technical expertise to set up and manage such solutions (see chart 3).
Chart 3: Please select two statements below that best describe your organization’s top two barriers to implanting or increasing current use of automated security governance n=24 information security leaders Source: 2017 CEB Information Security in the Age of Agile and DevOps Survey
-