What Is DevOps Maturity, and How Does It Relate to DevOps Security?

By now, many organizations have turned to DevOps as part of their ongoing digital transformations. This process has not been the same for any two companies. Indeed, organizations have embraced DevOps at their own place, and they’ve invested varying levels of time and budget into their nascent deployments. Such variety has helped shape organizations’ DevOps maturity in terms of their strategy and current capabilities. As an example of this, more than 15 percent of respondents to IDC’s Application Services Survey said that their organization is currently refining and standardizing DevOps capabilities within IT and a few Line of Business (LOB) units. By contrast, 10 percent of survey participants said that their organization is regularly refining its DevOps strategy and capabilities as it applies to all IT and LOB assets. Instructive in their own right, these findings raise an important question: what exactly is DevOps maturity? In this post, we’ll examine this topic in detail. We’ll also spend some time reflecting on how DevOps maturity synchronizes with DevOps security.

Clarifying DevOps Maturity

The term “DevOps maturity” refers to how much organizations have completed and how much they still have yet to accomplish in their DevOps journey. According to CA Technologies, organizations can use four areas to gauge their level of DevOps maturity. These are as follows:

1. Culture and Strategy: DevOps is a cultural shift in that it removes boundaries and brings development and operations teams together. Such a transition requires careful planning if it is to be successful in the long term.
2. Automation: Automation unifies tools in such a way that teams can share them. In DevOps, for instance, automation facilitates continuous delivery and continuous deployment. It also enables teams to be creative and not waste their time working through various repeatable tasks.
3. Structure and Processes: The modern business has processes for everything from incident response systems to communication tools. It’s therefore no wonder that processes feature heavily in DevOps.
4. Collaboration and Sharing: Employees might be dispersed around the world, but they still need to be able to work alongside each other in support of a DevOps culture. This collaboration requires that employees align their tools and resources.

These factors interact within each stage of DevOps maturity. In general, organizations are likely to find themselves in one of four stages. Forbes elaborates on these phases:

1. Unconscious Incompetence: Organizations in this stage don’t understand what DevOps is and therefore fail to grasp its business advantages. As such, none of the factors are present in this particular manifestation.
2. Conscious Incompetence: Within 12 to 18 months of starting their DevOps journey, organizations usually seize on many of DevOps’ automation components to try to automate their processes. That being said, teams generally still perform much of this work within silos. There’s little to no collaboration and sharing of resources involved.
3. Conscious Competence: Within four years of embarking on their DevOps voyage, organizations have successfully done all they want with automation. They then begin to focus on improving collaboration across all platforms and building a platform that can streamline the sharing of resources and tools between development and operation teams.
4. Unconscious Competence: Organizations have created a robust DevOps culture that supports in-depth collaboration between teams with the help of a formalized structure and concrete processes for sharing tools and resources.

The Link to DevOps Security

The level of DevOps maturity directly relates to an organization’s competitive edge for releasing better software faster. As organizations become more DevOps-mature, this rate of digital innovation increases. That is, until these software deliveries crash into bolted-on security measures, protective afterthoughts which almost always delay the deployment chain. DevOps maturity thereby inevitably forces organizations to reconsider their security practices. This step involves moving security into the DevOps domain so that it becomes closer to the application itself. Typically, DevOps teams at mature organizations work with security personnel to build security into earlier parts of the software development lifecycle. They can even use containers to deliver security fixes on a continuous basis and limit the amount of resources which bad attackers can compromise with a single attack. Such collaboration is essential for realizing the security advantages of DevOps maturity. As Dark Reading notes in a blog post:

Security and DevOps teams can work together to protect the infrastructure. Security team members don't have to fully understand all the development tools — they can focus on sharing the security principles and policies to apply to the new dev tools. DevOps and security can better learn how to work together in new ways and speak each other's language if they implement a container security platform that integrates native DevOps tooling.

Realizing this level of collaboration isn’t easy by default. Gurpreet Sachdeva explains in an article for the State of Security how organizations need to find a way to embed security within the DevOps lifecycle without hampering speed and agility. They also need to help reconcile the conflicting goals of development, which wants software released as soon as possible, and security, which wants all vulnerabilities addressed, in the name of effective communication.

How Should Organizations Navigate These Challenges?

The answer lies in Tripwire’s eBook, “Driving DevOps Security: Scalable Cybersecurity Best Practices for Scalable Terms.” This resource gives organizations everything they need to know to be successful in their respective DevOps journey. It starts by identifying the key factors which organizations need to begin their transition. It then focuses on how organizations can apply foundational security controls and key DevOps tools to make their voyage as smooth as possible. Towards that end, the publication also spends some time discussing how organizations can make continuous improvements to their DevOps culture. Learn more about how security and DevOps maturity go hand and hand by downloading your copy of this eBook here.