The global security plan sets out a number of requirements, standards, roles and processes applicable throughout the company. It is a referential that must remain dynamic, in order to integrate the rapid evolution of risks, technologies and uses, but it must also be an operational tool. To spread best practices and incarnate the security vision approved and supported by the Executive management, it must be intelligible, accessible and anchored in the business lines. This requires a maturity that is not found in all sectors, banking and insurance being the most advanced ones.
Another obstacle is the compartmentalisation of organisations, inherited from mergers and acquisitions or generated by the development of parallel activities such as e-commerce and physical sales. Filling cultural gaps in security is rarely a priority in the merging process and the persistence of different perceptions is a barrier to a globalized approach.
Finally, a last difficulty, identified by the study, concerns budgets. A formal plan provides a clear, multi-year strategy, which makes it possible to set priorities as well as to spread out investments.
Today, it is estimated that companies still only devote 3% to 5% of their turnover to cybersecurity, whereas the ANSSI (French National Cybersecurity Agency) recommends 5% to 20% depending on the sector. This discrepancy is mainly due to the fact that the information system is often considered as a support means and not as a business enabler, which introduces a bias in the risk assessment and therefore in the allocation of resources. It is crucial for the CISO to be able to demonstrate the justification for their expenditure. They must argue that today it is impossible to conduct business without trust between partners, whether B2B or B2C, and that they are in a position to provide many guarantees to strengthen this trust, including in new areas such as compliance with security laws (GDPR, Network and Security Information Directive, etc.), standards (PCI-DSS, ISO 27001, etc.) and sectoral regulations (e.g. the monetary and financial code).
For a majority of the CIOs questioned, security is only addressed once the new projects are in production. Such pessimism is a little surprising – and regrettable – when SecDevOps approach makes it possible to include it very effectively beforehand and at a lower cost. Admittedly, this method is recent, which explains why it is much less widespread than DevOps, but it has undoubtedly proven its worth.
To begin with, carrying out a PoC on small projects with motivated teams’ support is the best. In the organisation, we often meet a team/squad that is aware of the security issues and feels the need to be better geared to deal with them.
These employees can be the pioneers of this approach, which requires a certain amount of investment at the beginning, but quickly pays off after a few weeks. The challenge is then to go at scale, because this requires getting everyone on
board and coordinating everyone, at all levels of the organisation, even though the maturities are very heterogeneous. Apart from the support of external professionals, having previously set up a global safety programme is an undeniable asset.
More than a methodology, it is a culture that needs to be adopted, and the programme facilitates this by setting out a framework of responsibilities at company level. The risk, on the other hand, is to reduce the SecDevOps to its
tooling. If the developer is not supported to face his first code reviews, generally full of vulnerabilities, this will only reinforce his reticence: the feeling that one is interfering in his work, that one devalues it, and that security is just another chore that will prevent him from achieving his objectives. Despite changing attitudes, cybersecurity remains a slippery slope. For any project, nothing is more difficult to catch up with than this kind of false start. SecDevOps is no exception.
Devoteam is a leading consulting firm focused on digital strategy, tech platforms and cybersecurity. By combining creativity, tech and data insights, we empower our customers to transform their business and unlock the future.
With 25 years’ experience and 8,000 employees across Europe and the Middle East, Devoteam promotes responsible tech for people and works to create better change.
Creative Tech for Better Change
Renaud Templier, Cybersecurity Group Offer Director
Vincent Gervais, Cybersecurity Expert
Laurent Lajugie, SecDevOps Offer Leader