Security Experts:

Seventy Percent of Firms Sacrifice Security for Faster Innovation

Software Vulnerability Trends

As IT infrastructures have become more complex, certain specialist functions have developed their own niche requirements connected to but separate from mainstream IT operations. Prime examples would include development, security and network. Over the years, these niche requirements have become siloed and less efficient than they should be.

In more recent years there have been attempts to break down the silos to re-integrate the functions with mainstream IT operations -- and the concepts of DevOps, NetOps and SecOps, and the more nuanced DevSecOps, have evolved. The umbrella term is xOps. In all cases the purpose is to improve speed, agility, and efficiency of the niche functions through better integration with IT operations, and the process has frequently proved very successful.

However, the degree of efficiency achieved is entirely dependent on the success of reintegrating the functions with IT operations -- and this is not uniform. Lehi, Utah-based automation firm SaltStack, has launched a new series of survey reports examining the current state of xOps, and starting with an examination of the state of SecOps. (SecOps differs from DevSecOps. The former is the overall security of the infrastructure and its data, while the latter is an attempt to build security into the development phase of new applications to avoid having to bolt security on after deployment.)

SaltStack's 'State of XOps Report, Q2 2020' (PDF) queried 130 verified infosec and IT leaders during January 2020. This is against the background of Gartner's 2017 prediction that through to the end of 2020, 99% of vulnerabilities exploited will be ones already known by security and IT professionals. "A number of recent breaches indicate system misconfiguration and unpatched, known vulnerabilities, particularly of public cloud and on-premises server infrastructure and databases, are the most common cause of data exposure and successful exploits," adds Alex Peay, SVP of product and marketing at SaltStack.

The implication is that if the vulnerabilities are known but not fixed, there is a lack of adequate collaboration between the security and IT teams. This is confirmed by the SaltStack survey. Only 54% of security leaders say they communicate effectively with the IT professionals, while a mere 45% of the IT professionals agree. While both figures are worrying, the difference also suggests over-confidence by the security team in their ability to communicate, and/or IT's willingness to listen.

Despite this, there is a basic understanding of what should happen. For example, both security and IT managers agree that data protection should be prioritized over innovation, speed to market and cost. The reality, however, is different in practice -- only 30% say this happens. A full 70% say their company sacrifices data security for faster innovation. Peay, told SecurityWeek that the cause is probably complex: "a bit of the operations team self-pressuring to complete work as quickly as possible, a lot of pressure from above, and perhaps some personality clashes between Sec and Ops."

It is, however, a problem that needs to be solved and one that the SecOps concept isn't yet solving. SaltStack believes the problem may lie in the different details of responsibility between the two teams. "IT operators have the mandate to rapidly innovate and push new products to market while maintaining infrastructure reliability," says the report. "Security pros are tasked with identifying security vulnerabilities and compliance issues. The shared responsibility of taking action to remediate security issues and enforce compliance often falls between the cracks."

These cracks may be amplified by the lack of a cross-group process that ties the two teams into working together and collaboratively. It's a suggestion that is supported within the detail of the survey. Where cross-functional collaboration and automation tools are used, the managers are four-times more likely to say that the IT and security teams communicate effectively.

This is further emphasized by a common dislike of certain tasks (both groups hate patch management, security hates threat prioritization, and IT hates compliance audits), while both groups agree automation unifies the work of SecOps enabling team collaboration and efficiency. The implication is that automation that covers both Sec and Ops transcends the natural differences between the two groups, and can make the concept of SecOps successful.

The patching problem has been amply illustrated by recent vulnerabilities within SaltStack's own Salt product. Two vulnerabilities were discovered by F-Secure and responsibly disclosed. SaltStack patched the vulnerabilities before F-Secure went public; but F-Secure made the point that a competent hacker would take no longer than a day to develop an exploit. Patch by Friday or be breached by Monday it warned. And it was right. Breaches based on these exploits began to be reported over the weekend.

"There are simply not enough skilled humans to secure digital infrastructure at scale without the force multiplier of security operations automation and improved collaboration among teams," says Peay. "Automation and collaboration are proven to be the difference between a breach, or truly secure digital business."

Related: Driving the Convergence of Networking and Security 

Related: SecOps: The Roadkill Victim of DevOps' Need for Speed 

Related: Security Automation is About Trust, Not Technology 

Related: Advancing DevSecOps Into the Future

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.