When we talk to our clients, its often understandable that they are worried about the fact that, somehow, their ability to secure digital products and services cannot keep pace with the speed at which they are built. In a previous blog, we discussed how new DevOps tools and methodologies accelerate the creation of new features and updates to applications.
However, traditional approaches to security can no longer keep pace due to a variety of challenges, resulting in increased exposure to cyber risk and a decrease in the speed of delivery. The public sector faces a unique set of challenges due to its organizational setup and the nature of its work.
Recently, I had the opportunity to speak with a senior security expert working in the UK public sector, in order to understand which security challenges, in his opinion, top the list when it comes to delivering new digital services for government.
Here’s a summary of our discussion
Challenge 1: The stakes are very high
According to him, the digital transformation of the public sector based on government’s “Digital by Default” strategy aims to boost public services such as healthcare, pensions, universal credit, and law enforcement with digital technologies to make them more accessible and operationally efficient.
The problem he focused on was that such digital services are also high-value targets to a variety of would-be attackers for two main reasons:
- Some of the services are considered critical national infrastructure. If they were not available for any period of time, there would be a high chance of social unrest making them ideal targets for activists and state-sponsored hackers.
- The volume of sensitive citizen data managed by the services could be exploited for financial gains by organized criminal gangs, disgruntled civil servants, and connected third parties.
Challenge 2: Legacy security mindset is deep-rooted within the culture
The second big challenge is that siloed security functions do not integrate well with more digital functions.
Furthermore, security functions with an old school approach to working are still the norm and digital departments can find it difficult to collaborate. For example, the security function mandates heavy documentation and vetting processes which often fly in the face of the agile principle of “working software over comprehensive documentation.”
Another challenge is that some security managers are not familiar with the latest technology and methodologies, which makes it difficult for them to assess risks and make recommendations.
Challenge 3: A reluctance to embrace cloud technology and open source products within the technology stack
In other heavily regulated sectors, public sector organizations are still not placing big bets on cloud-based delivery models, despite having plenty of options available from tech giants such as AWS, Google, and Microsoft.
For DevOps, the cloud is at its core, as it enables scaling the infrastructure up or down in a matter of seconds, as and when needed. However, according to our security expert, the security function in a typical public sector organization operates a list of approved services and tech stack elements that restrict DevOps teams from using a better form of technology (usually cloud-based).
This practice, he says, gives the department control to reduce exposure to security risks. However, the challenge is that such a list is not updated frequently and is sometimes updated by the people who don’t understand the technology. As a result, there is a reduction in agility because teams struggle to deliver iterative improvements quickly across the stack.
Automating delivery pipelines will not address all the challenges
Technology is only part of the solution though. It is clear from interviewing our security expert that many challenges arise from cultural differences and a lack of education. With this in mind, organizations should focus on the following core principles to fully achieve a DevSecOps approach to security:
- Educate your workforce
- Automate your processes
- Monitor your applications and security level progress
Over the next three articles, we will be exploring further each of these DevSecOps principles, and how they can be applied to ensure departments can generate the maximum value from DevOps while upholding their security responsibilities to UK citizens.
In the meantime, you can find out how secure your DevOps is by filling out our online assessment. It’s free, anonymous, and allows you to benchmark your maturity against other organizations and industries.