In a previous post, we discussed why a new, collaborative approach to IT budgeting is required to support digital transformation. Because IT is so closely intertwined with every area of the organization – not just to perform basic functions, but to drive strategic goals – IT budgeting can no longer occur in a vacuum.
Security investments are a critical part of the IT budgeting process, but organizations are having trouble allocating security dollars. According to the 2018 State of Security Budgeting report, based upon a study conducted by research firm Vanson Bourne, 54 percent of organizations are concerned about outgrowing their security solutions very soon.
Although budgets are expected to increase by 19 percent over the next two years, more than 90 percent of organizations are struggling to decide how and where to invest, thanks in large part to digital transformation and quickly evolving infrastructure. On average, 41 percent of infrastructure remains on-premises. Organizations are shifting to cloud and container platforms, which explains why cloud workload security and intrusion detection systems will be the top two budget investments in 2019.
The budget allocation struggle can often be traced back to the friction between security and DevOps teams. Almost all respondents (91 percent) believe developers introduce risk to organizations by releasing code that might not be secure. At the same time, security teams are perceived to be a drag on innovation. To improve application security and build alignment between the two sides, most organizations have identified DevSecOps as a goal.
In many organizations, security is an afterthought when developing applications. Just make sure it works and figure out security later. DevSecOps gives security teams a seat at the table with development and operations teams to ensure that security is built into DevOps initiatives. DevSecOps is about more than choosing the right security tools. It’s about building a culture in which security is both a priority and a shared responsibility right from the start of development initiatives.
Therein lies the challenge. Changing culture isn’t easy. To make DevSecOps work, security teams need to share threat insights with developers so that they can code with security and compliance in mind. Security also needs to train developers in code assessment so that security teams don’t have to inspect code line by line, which slows down the development process. Close collaboration is required to enable development and security teams to determine how far developers can go with code assessment and when to involve security.
One of the keys to making DevSecOps work is automation. Once all sides come together to achieve shared business goals, automating manual processes and incorporating security principles early in the development lifecycle will create more efficient workflows. This will enable security to quickly identify and correct security and compliance issues without disrupting the development process, which allows organizations to accelerate the rollout of new services.
Security is a critical component of the IT budget, but many organizations find it difficult to align security and compliance requirement with DevOps and digital transformation initiatives. Technologent can help you overcome the challenges to implementing DevSecOps and deploy the automation tools required to create a secure, efficient development process. Let us show you how a DevSecOps approach can inform your IT budgeting decisions and security investments.