Written by James Harvey, CTO Advisor, EMEA, Cisco AppDynamics

Security teams have traditionally operated separately from the rest of the IT department and the prevailing perception is that security is a reactive function, brought in to resolve security breaches and patch up vulnerabilities. But the Achilles heel of this siloed approach is being dramatically exposed as the attack surface expands, as the speed of application development continues to soar and we see accelerated adoption of dynamic, cloud-native technologies.

In response, IT departments need to take a different approach to application security and move to a DevSecOps approach, where security is integrated into the applications lifecycle from the outset, rather than being an afterthought at the end of the development pipeline. DevSecOps requires new tools and technologies but, most of all, it requires cultural change, with closer collaboration between teams. As such, technologists need to change their mindsets around security and recognize that, with the right approach, security can lead to faster and more sustainable innovation, rather than slowing it down.

Siloed approach exposes application security vulnerabilities
As organisations have ramped up their digital transformation plans, in response to changing customer needs and to enable hybrid work, application release velocity has skyrocketed. Unfortunately, however, application security hasn’t kept pace. In the latest research from Cisco AppDynamics, ‘The shift to a security approach for the full application stack’, all surveyed technologists from the United Arab Emirates (UAE) admitted that the rush to rapidly innovate during the pandemic came at the expense of robust application security.

Much of this can be attributed to fragmented structures and working practices, where ITOps and security teams operate in silos. The only time any form of collaboration occurs is often when a potential issue is identified — which is arguably too late. Developers don’t seek out input from security colleagues because they fear it will slow release velocity. Indeed, the research found that 71% of technologists across the Emirates perceived security to be more of an inhibitor than an enabler of innovation within their organisation.

Until now, IT departments have largely been able to get away with this siloed approach. But as organizations have accelerated release velocity and built more dynamic applications using low-code and no-code platforms, technologists suddenly find themselves trying to manage a dramatic expansion in attack surfaces. Widespread adoption of multi-cloud environments means that application components are increasingly running on a mix of platforms and on-premise databases, and this is exposing visibility gaps and increasing the risk of a security event. The potential consequences are catastrophic for both the customer experience and the bottom line.

Minimize risk and accelerate innovation with a DevSecOps approach
Faced with this growing challenge, IT leaders are recognizing the need for much tighter collaboration between teams and a more proactive approach to application security. DevSecOps brings together ITOps and SecOps teams so that application security and compliance testing are incorporated into every stage of the application lifecycle, from planning to shipping. By taking this approach, developers can embed robust security into every line of code, resulting in more secure applications and easier security management, before, during, and after release.

IT departments can avoid the current situation where security vulnerabilities are only addressed at the last minute before launch or identified after the application has already been released. By incorporating security testing from the outset of the development process, security teams can analyze and assess security risks and priorities, during planning phases, to lay the foundation for smooth development.

DevSecOps relies on the implementation of holistic monitoring systems which leverage Artificial Intelligence (AI) and Machine Learning technologies within application security processes, to cope with the spiraling volumes of security threats organizations are facing. This type of automation is vital to identify weaknesses, predicting future vulnerabilities, and remediating issues. Once IT teams can teach AI tools to identify threats and resolve them independent of an admin, benefits, from reduced human error and increased efficiency to greater agility in development, are sure to follow.

There is now a widespread realization that DevSecOps is the best way for organizations to cope with increasing cybersecurity risk, without sacrificing development speeds. This is validated by the research which found that 82% of UAE-based technologists now regard a DevSecOps approach as critical for their organization to effectively protect against a multi-staged security attack on the full application stack. Not surprisingly, 49% of organizations in the UAE have already started taking a DevSecOps approach and a further 48% are considering making the shift.

Ultimately, DevSecOps will see security become an accelerator for innovation, rather than an inhibitor. By taking a proactive approach to security throughout the lifecycle of their applications, technologists in the region will spend less time trying to identify and resolve issues, and more time on strategic activities based on business needs. And this means that IT teams will be able to ship and deploy applications more quickly.