Many view DevSecOps to be about the automation of security testing in the software development pipeline through tooling; the reality is that it takes more than that. It requires a fundamental change in corporate culture, organisation structure and ways of working.
Leveraging our clients and networks, we surveyed and benchmarked 100 organisations on their DevSecOps maturity.
Our initial hypotheses
Before we started the benchmarking survey, we had three hypotheses:
- By country, the US would be the most mature when it comes to embedding security in software development. After all, most technology “unicorns” are US-based.
- By industry, the public sector would be the least mature when it comes to securely developing software and applications due to higher levels of bureaucracy.
- Finally, we thought that start-ups would be leading the way in DevSecOps maturity given that most start-ups adopt agile and DevOps practices.
What the data tells us
1. The UK appears to lead the way over other countries when it comes to DevSecOps, although not by much…
Our DevSecOps survey, State of DevSecOps 2020 suggests that UK organisations display higher levels of maturity when compared to other countries like the US, France and Spain. The average (mean) DevSecOps maturity in the UK was 57%, 14% higher than the lowest scoring country – France, where organisations have an average DevSecOps maturity of just 43%. However, when compared to the US and Spain, this lead shrinks to only 3%.
The UK start-up scene is very active, and many of the start-ups we interviewed are UK-based. It’s easier to get DevSecOps right when you have a green field site. There’s less technical debt, bureaucracy and general resistance to change for smaller scale organisations, so we may be seeing the start-up trend reflected in the DevSecOps scores captured in our survey.
2. The public sector seems to have the highest DevSecOps maturity
Our survey reveals a large range in DevSecOps maturity across the sectors we engaged with. Public Sector organisations lead the pack with a 66% maturity, a stark difference compared with Financial Services organisations who score 20% lower with an average maturity of 46%.
High scores from Public Sector organisations may be explained by the UK’s Government Digital Strategy (2012), which aimed for ‘digital by default’ – digital services that are so straightforward and convenient that all those who can use them choose to do so. This includes initiatives such as expanding access to and redesigning services to meet a new digital by default service standard. The outcome of such a focus on digital redesign may have indirectly boosted DevSecOps maturity.
3. And finally, we were right that start-ups would be leading the way in DevSecOps maturity given that most start-ups adopt agile and DevOps practice.
All start-ups we interviewed follow agile principles, team structure and build their applications and underlying data capability on cloud platforms. For example, when interviewing the CTO of an European-based start-up, the CTO was discussing with the team how to ensure compliance with GDPR while designing the chatbot for 24/7 service on a cloud platform. On average, cloud-enabled companies outperform non-cloud enabled companies when it comes to DevSecOps maturity.
However, large organisations (>50,000 employees) – primarily financial services (FS) or governmental bodies –also exhibit high DevSecOps maturity as they continue to invest to fend off challengers. Financial services and public sector also have more resources compared to other sectors like retail or manufacturing, which in recent years have been subject to hostile competition that chips away at their margins.
We always know, from discussion and working with our start-up partners, that they are far more agile in responding to change because there aren’t layers of technical debt, bureaucracy and general organisational resistance to change. That said, large organisations when faced with the pressure to innovate, differentiate and generally to stay in the game, will adapt.
For more detailed analysis and frameworks to support DevSecOps maturity, download a copy of Capgemini’s 2020 Global DevSecOps Insights report here