Success in a cloud native environment requires technologists to combine specialist and generalist skills.
Many IT departments are adopting a DevSecOps approach to application development and security in response to a rapidly changing risk landscape. Rather than treating security as an afterthought, it is now integrated into the application lifecycle from the onset. This cultural shift requires technologists to move away from entrenched mindsets and processes, embracing collaboration and adopting new tools like AI to manage expanding attack surfaces caused by the shift to cloud-native technologies.
As the DevSecOps approach has increasingly become the norm within IT departments in all industries, it has become imperative for technologists to expand their knowledge and skills. They must develop new specialist skills within their discipline to support the shift to modern application stacks. Still, they will also need to understand better other IT department functions to work effectively as part of a cross-disciplined team. In short, they need to become both specialists and generalists to thrive.
A siloed approach to application security is exposing risk and threatening innovation.
Research by Cisco AppDynamics, The shift to a security approach for the full application stack, exposes the extent to which application security has become more challenging as organizations have accelerated their digital transformation initiatives to meet evolving customer needs. The research found that as many as 92% of technologists admit that the rush to innovate rapidly since the start of the pandemic has come at the expense of robust application security during software development.
The fast adoption of cloud technology and the availability of low-code and no-code platforms have allowed developers to speed up software releases and create more dynamic applications across various platforms. However, the extensive use of multi-cloud environments has resulted in applications running on multiple platforms and on-premise databases, creating visibility gaps and significantly increasing the likelihood of a security breach. Research indicates that over 75% of technologists are worried that their organization is at risk of a multi-staged security attack that could affect the entire application stack.
New cybersecurity threats are exposing the flaws in traditional approaches to application security, particularly the lack of input that security has had into the application development process. In many organizations, there is little ongoing collaboration between developers and security teams – they only engage when a security issue has already arisen.
The new cultural shift towards DevSecOps
IT departments are moving towards a DevSecOps approach due to identifying the need for a new approach to application security. This approach incorporates security and compliance testing into the software development lifecycle from the very outset. This enables developers to embed robust security into every line of code, resulting in more secure applications and easier security management before, during, and after release.
Many IT departments are already shifting towards a DevSecOps approach, as the research indicates that 43% have already started taking a DevSecOps approach, and a further 46% are considering it. This also points to the fact that more than three-quarters of technologists now regard a DevSecOps approach as critical for organizations to effectively protect against a multi-staged security attack on the full application stack.
DevSecOps is enabled through security automation, which integrates security gates throughout development without slowing down the process, and AI and Machine Learning (ML) technologies to identify gaps, predict vulnerabilities and automate processes to remediate any security holes.
For IT departments, DevSecOps involves wholesale cultural change. Technologists must become less skeptical or suspicious of other teams and more open and transparent about their work. They must embrace new working methods based on collaboration, mutual understanding, and recognition.
The generalist-specialist technologist
Organizations need IT professionals with the right skills to manage application security against constantly evolving and sophisticated threats effectively. These professionals should be able to detect and resolve issues across different technology stacks, including cloud-native microservices, Kubernetes containers, multi-cloud environments, or mainframe data centres. However, a lack of application security skills and resources is becoming a significant challenge for many organizations. Less than half of technologists feel confident in managing application security threats. As a result, IT leaders will need to recruit and develop these skills urgently.
Furthermore, technologists will need to broaden their skill sets and understand other areas of IT to work effectively as part of an integrated application team in a DevSecOps approach. Security professionals should develop new skills in application development, while developers should become more knowledgeable about security. Interestingly, most technologists recognize the importance of pursuing a dual approach to upskilling. They believe that successful modern technologists should be specialists in their field and generalists across other areas of the technology stack.
The shift to DevSecOps may initially challenge technologists, but it presents an opportunity to try new ways of working, expand knowledge, and make new connections. Those who embrace the change and focus on developing both their specialist and generalist skills will position themselves for success in the new cloud-native environment.