Puppet has sliced and diced its State of DevOps report to identify how individual industries are doing when it comes to security, and the answer is….not well.
Figures were broken out for technology, financial services and insurance, telecoms, retail/consumer, and government, awarding report cards for DevOps evolution and security integration. Unsurprisingly, technology companies seemed to be doing well, scoring As across the board.
But when it came to other sectors, the picture was more variable
Financial services firms showed a high level of DevOps evolution, but very few were reaching “the higher stages where teams are successfully applying automation to security considerations” meaning the sector scored a C-. While there were often mandated practices centred around auditing compliance issues, these tended to act as a bottleneck when it came to deploying software.
Retail and consumer scored a B for DevOps evolution, but just scraped a C+ for security integration, with just 28 per cent of respondents doing security reviews before deployment.
Government was similarly poor – though it should be remembered this category ranged from the likes of the US Air Force, to cash-strapped municipal councils. Just 11 per cent were rated as having high functioning DevOps practices, with the sector scoring a C overall for DevOps evolution. Security integration was either wonderful or woeful, giving the sector a B- overall.
Telecoms scored high on DevOps evolution, but exhibited the highest levels of “strain between security and ops teams”. Overall, the sector scored a B for security integration, which might be worth considering as you choose your 5G provider.
Nigel Kersten, Puppet’s UK field CTO, said the relatively poor showing of the financial and insurance, and retail sectors, was in part down the companies being older, meaning accumulated technical debt, out of date technology and other drags on evolution.
In the case of finance, he added, because separation of ops and security is often mandated – or at least perceived as such – this can be a barrier to adopting a more up to date posture.
But while there might be measurable failings in companies’ security practices, does this actually translate into more security breaches?
Kersten said “People aren’t particularly open about these things unless they’re forced to. But I guess, somewhat anecdotally, the ones who are transforming the fastest, are usually the people who’ve had a relatively recent breach.”
He added, “It’s probably not the state of the world we would like to learn, but I think a lot of the data breaches didn’t really seem to result in companies being significantly punished.”