Michael Smith, Field CTO, Neustar Security Services
A recent report conducted by Neustar International Security Council (NISC), a group of cybersecurity professionals across key industries, government agencies and companies, found that organisations plan to invest in DevSecOps in 2023. The level of urgency for them to do so has grown significantly, in response to ongoing cyber threats and high-profile supply chain attacks, and increased digitisation.
DevSecOps is a crucial strategy with automated security included in every stage of software development. Adopting DevSecOps makes application and infrastructure security a shared responsibility among the development, operations and security teams within organisations, maximising protection at all levels. Organisations are beginning to acknowledge this as 93% of respondents claimed that they are focusing on DevSecOps in 2023 with 86% of participants agreeing that DevSecOps has become a ‘business priority’ in the last year.
The evolving threat landscape
In the last two years, there has been a shift to cloud-based delivery models or multi-cloud environments with remote or hybrid capabilities to cope with the ”new normal.” This shift has created new gateways for bad actors and expanded their attack surface. Cyber extortionists are adopting more complex attack methods to bypass organisations’ defences.
75% of the survey respondents listed ransomware as an increasing threat to their organisations, followed closely by DDoS attacks. Targeted hacking and social engineering via email are also rising. The National Cyber Security Centre (NCSC), part of (GCHQ)’s annual review, reported that 18 ransomware attacks in the UK last year earned a national-level response.
In light of increased digitisation, connectivity and intensified geopolitical conflicts, international leaders and governments have become more aware of the risk ransomware poses to not only businesses but also critical national infrastructure. The European Commission proposed new rules earlier this year that aim to integrate efficient cyber and information security measures across EU institutions, bodies, offices, and agencies.
Ransomware attacks are increasing in volume and severity, having catastrophic consequences for businesses and governments alike. In fact, 92% of respondents agreed that companies should face punishment if their software is found to be unsecure with over half (51%) favouring government intervention. These participants stated government bodies should enforce companies to adopt stricter security measures and implement DevSecOps.
Why companies are prioritising DevSecOps in 2023
As threats continue to become more sophisticated and ubiquitous, organisations are looking to improve their security measures accordingly. 63% of respondents claimed that adopting DevSecOps leads to a more rigorous security-centric culture within their organisations.
DevSecOps is already proving to be essential as 72 % of participants feel that their ability to discover and monitor applications and APIs has increased after implementing the strategy. Furthermore, 64% agree that they need further code monitoring to detect vulnerabilities, a capability which DevSecOps can provide.
The urgency to adopt DevSecOps was driven by increased digitisation, with 60% listing it as a contributing factor, as well as supply chain attacks across the industry which was a concern for 53% of respondents. It’s been two years since the Sunburst attack on SolarWinds impacted many organisations, making it apparent that supply chains are part of every company’s attack surface. It gives attackers an opportunity to avoid a company’s security defences. Enterprises are starting to become aware of the need to optimise their security measures, preferably through implementing a proactive strategy consisting of an ‘always on’ approach to cybersecurity. DevSecOps can identify security vulnerabilities with 24/7 monitoring.
Despite the growing prioritisation of DevSecOps, only 13% of these organisations have fully adopted this strategy. 42% feel that the lack of security talent is preventing them from implementing a formal strategy. However, this does not mean that companies should not include DevSecOps in their cybersecurity approach. Security teams should be going beyond software updates and bug fixes for protection and prevention efforts. Multi-layered defences such as regular backups, and reliable updating and updating software and systems are vital in efficient security measures, but with the continuing changing threat landscape, early detection is critical now more than ever. In addition to the basics, organisations need to start implementing a range of effective prevention and mitigation measures such as DevSecOps.
Establishing a more proactive cybersecurity strategy
With increasing threats such as ransomware, DDoS attacks, and supply chain attacks, DevSecOps is integral to the cybersecurity of organisations. In 2023, organisations need to prioritise not only implementing DevSecOps into their internal security but also adopting the best methods of practice that make this strategy effective.
This approach can include automating tasks and conducting regular testing and security audits. It requires efficient communication between the development, security and IT teams as well as educating these teams on the cultural shift and the advantages of establishing a clear DevSecOps strategy.
Next year, every company must make cybersecurity and DevSecOps a business priority. Ideally, leaders should consider security a core part of their company culture and a core capability of their product development process. This includes creating a dedicated in-house security team and embedding compliance and security practices within their developer tools. Only then will they be thoroughly prepared for any given event and place themselves in a far stronger position in this constantly evolving and perilous threat landscape.