Public sector IT teams urged to embrace new application security strategies amid growing attack surfaces.
Application security must catch up with the attack surface expansion, which is now a significant problem for many organizations. To guard against this, organizations in the public sector have ramped up their digital transformation programs to meet rapidly evolving citizen needs and enable hybrid work. This led to an increase in the velocity of application release, that has skyrocketed.
Technologists are struggling to manage soaring volumes of emerging cyber threats across an increasingly dynamic and fragmented IT environment. As a result, government organizations are becoming increasingly susceptible to severe cybersecurity breaches. In the latest research from Cisco AppDynamics, The shift to a security approach for the full application stack, 90% of public sector technologists admit that the rush to rapidly innovate and respond to the changing needs of end users has come at the expense of robust application security during software development.
In the UK, 40% of all cyberattacks target the public sector, with bad actors looking to exploit vulnerabilities to access huge volumes of personal data for fraud, identity theft and account takeovers. While in the U.S, a survey found that the public sector has the highest proportion of security flaws in its applications and maintains some of the lowest and slowest fix rates compared to other industry sectors.
To address this, government IT professionals need to take immediate actions to integrate security into every stage of the application lifecycle. DevSecOps, which involves close collaboration between development and security teams, allows developers to integrate strong security features into each section of code, resulting in more secure applications and simplified security management from the start of development to after release.
The research indicates that public sector IT departments are lagging other industries in adopting DevSecOps, which is a cause for concern. Government technologists express concern that their organizations lack the necessary skills and tools in place to effectively handle the growing number of security threats.
It’s therefore critical that technologists act now to address this escalating issue, adopting a security approach for the full application stack.
Application security vulnerabilities exposed by siloed approach
In most organizations, security teams (SecOps) have traditionally operated separately from the rest of the IT department. Security has often been viewed as a reactive function, called in to address security breaches and patch up vulnerabilities after. Indeed, a majority (61%) of public sector technologists believe that security impedes innovation more than any other industry.
However, the drawbacks of this siloed approach are being dramatically exposed as the pace of application development accelerates. The widespread adoption of cloud-native applications and architectures, with application components running on a mix of platforms and on-premises databases, is leading to a significant increase in attack surfaces. This creates major visibility gaps for IT teams, as existing security solutions are unable to provide a comprehensive view of their organization’s security posture.
Technologists are being bombarded with security alerts from various parts of the application stack and they are unable to through the data noise to assess the risk level of security issues and prioritize remediation based on the impact on end users. In fact, more than half of public sector technologists admit to feeling overwhelmed by the volume of security threats and vulnerabilities facing their organization. They simply lack the time and resources to manage the constantly changing and increasingly complex application security landscape. As a result, many IT teams are stuck in a state of “security limbo,” unsure of what to focus on and prioritize.
Public sector technologists must accelerate the shift to DevSecOps
IT leaders are acknowledging the need for more collaboration and a proactive approach to application security to overcome the growing challenge of cyber threats. DevSecOps is the solution to this challenge as it integrates ITOps and SecOps
However, the research finds that the public sector has been slow to begin the move to DevSecOps, with only a third of IT departments having started to transition to this new approach. More than half of public sector entities are still just considering DevSecOps, to ensure that application security and compliance testing are integrated into every stage of the application lifecycle from planning to shipping.
However, the public sector has been slow to transition to DevSecOps, with only a third of IT departments having started the move and more than half still considering it. Due to the heightened risks, IT departments need to urgently switch to DevSecOps. Technologists must be willing to step out of their comfort zone, embrace a more collaborative approach, and develop new skills beyond their specific discipline to succeed in a cloud native environment.
As well as cultural change, DevSecOps relies on the implementation of holistic monitoring systems which leverage automation and AI technologies within application security processes. This is the only way for IT teams to cope with the spiraling volumes of security threats organizations are facing.
This type of automation is vital to identify weaknesses, predict future vulnerabilities and remediate issues. Once IT teams can teach AI tools to identify threats and resolve them independent of an admin, the benefits are game-changing – reduced human error, increased efficiency, and greater agility in development.
Ultimately, DevSecOps will see application security become an accelerator for innovation, rather than a barrier. By taking a proactive approach to security throughout the lifecycle of their applications, public sector technologists will spend less time trying to identify and resolve issues, and more time on strategic activities based on citizen needs.