Almost any news story on cloud and Software-as-a-Service (SaaS) adoption contains a common refrain: Security concerns often hold customers back. Of course, every company should pay attention to security risks. But it’s important to understand that the leaders in SaaS and cloud services have now been perfecting their multi-billion dollar businesses for more than a decade, and are growing faster than most everything else in technology. Clearly, many companies are managing their cloud security concerns.
The cloud’s transition to mainstream adoption presents an opportunity to study software teams and their info-security colleagues. What does collaboration between software teams and info-security produce? How do cloud security perceptions differ? Are info-security teams really telling everyone “no” or is the reality more collaborative?
To look for answers to these questions, last fall New Relic commissioned Forrester Consulting to survey how enterprise application developers collaborate with security professionals, the tools and practices they rely on, and how well they’re doing at alleviating cloud security concerns.
The April 2016 study—Modernizing Your Applications: Collaboration With Security Teams Increases Innovation—is based on a survey of more than 150 enterprise IT security and app-development professionals, and it reveals that developers who work with security professionals get “major and tangible business and technical benefit.” Importantly, monitoring, continuous integration, and security management tools are positively correlated with developer and security collaboration—collaborators are twice as likely to use these tools, and frequent collaborators are four times as likely to use them in the cloud.
Put it all together and you get a clearer progression of how workflow and collaboration between these two groups enhance business efficiencies and cloud security:
- Regular collaboration between developers and security colleagues begets secure, high-performing cloud development.
- Security concerns hinder cloud development’s potential.
- Frequent collaborators incorporate cloud development tools as core workflow components.
Let’s take a closer look at each step.
Misaligned security concerns underscore the need for collaboration
Most enterprises name security as the major factor limiting cloud and SaaS development projects. But there’s a significant discrepancy between what app developers think is a security issue and what security people actually think is an issue. For example, devs often think data encryption is more important than security people do. Security professionals, meanwhile, are more worried about cloud security risks than developers realize.But both developers and security folks recognize that they can work together to understand each other’s viewpoints and build better, more secure software. They know that the more frequently they collaborate, the better the results, “including improved customer satisfaction, business/IT alignment, quality and frequency of releases, and the rate of innovation at their firms.”
Embedding dev/security collaboration into project workflows yields the biggest benefits, with “frequent collaborators” more likely to describe their cross-functional interactions as “very valuable.” This shows that while security is a valid concern, the issues are not insurmountable. Just as important, the efficiency benefits of cloud and SaaS tools are so compelling that it’s more than worth the effort to find new ways to work together to address the perceived risk.
Even more important, perhaps, is that an overwhelming 96% of collaborators say that working together leads to a major (82%!) or moderate (14%) benefit in terms of customer satisfaction.
Tools matter, too
How can enterprises empower their developers and security teams to collaborate? One requirement is to provide the right tools.
According to the survey, devs who work with security teams are twice as likely to use software development and security tools such as monitoring systems, continuous integration tools, runtime security management tools, and release management tools.
Significantly, frequent collaborators are more than four times as likely to deploy these tools in the cloud. The right tools provide a single set of data to developers and security teams, helping to resolve disagreements based on facts rather than assumptions, which helps build trust across the organization.
Cloud development matters
The survey also showed that enterprise cloud development is quickly increasing as business demands for custom software skyrocket. Enterprises are seeing greater demand for new, more complex applications, and they are scrambling to meet that demand without compromising their commitment to security.
Survey respondents overwhelmingly said “custom-built software is increasingly important to their business” and the study stated that “demand for new cloud applications and services is increasing across the enterprise” even as “development speed and application requirements are intensifying.”
Doing it right
To keep up, enterprises have little choice but to leverage the cloud’s ability to speed development and innovation through “on-demand elasticity, agility, and cost efficiency.”
To do that right, the study makes four key recommendation:
- Align goals across teams. Development teams should embrace security teams’ know-how while security teams “must internalize the criticality of new technologies,” the study said, and work with devs to minimize risk while still driving innovation.
- Fight fear of the unknown with real experience. “Over time,” the study said, “fear of the unknown is replaced by accurate identification of risk and appropriate countermeasures.” Getting there requires measured exposure and experience—and the knowledge that doing nothing creates its own risks.
- Embed data-driven collaboration processes. Speeding software delivery requires optimizing design, development, testing, and deployment, so designers and testers need to be part of the flow just like developers and security pros do. Ideally, cloud development tools should be incorporated as core workflow components.
- Don’t stop there. “It makes sense to include infrastructure and operations professionals in the conversation,” especially in DevOps environments. Make sure that everyone’s goal is “rapid delivery of high-quality, secure, and stable software.”
For more insight into how developer/security collaboration can address enterprise cloud-security concerns, download the research study here.
Join our free webinar!
Be sure to join us on Thursday, June 30, at 11 a.m. PT (2 p.m. ET) for an informative webinar based on these Forrester insights: Security vs. Development Teams: Friends or Foes? Our speakers will be Jeffrey Hammond, VP & Principal Analyst, Forrester, and Abner Germanow, Senior Director of Strategic Marketing, New Relic. Jeffrey and Abner will be discussing how developers, operations, and security & risk management professionals are working together to solve today’s security and operational challenges, and how they are applying DevOps tactics to drive increased innovation in their shops. Don’t miss out—register today!