Last year, we conducted a survey of more than 1,500 Chef customers to help us better understand their most pressing issues related to automation: productivity, roles and technology adoption. As we’ve noted in the past, the highest-performing software organizations are able to outperform their peers in each of three key areas, and associated metrics.
- Speed: The rate of software change, measured by deployment frequency and time from commit to deploy.
- Efficiency: Effectiveness of software change, measured by change failure rate and mean time to recover
- Risk: Quality of software change, measured by compliance audit frequency and mean time to remediate
At Chef, we see it as our responsibility to help cross-functional teams optimize performance in each of these areas. We do so by drawing from their and our experience and applying our knowledge to develop the tools they need. We learned a lot from the last year’s survey to help speed us toward these improvements, including the following:
- Cross-functional teams are likelier to move faster, have greater resiliency, and adopt new technologies faster than traditionally structured teams
- Managing hybrid infrastructures is the reality for most users
- Workloads are increasing faster than headcount
- Speed and efficiency are the biggest target areas for continuous improvement
- Compliance automation presents a large opportunity for efficiency gains
Digging into Compliance
While we and those with whom we shared them found all of these issues compelling — they generated a great deal of discussion on our blog, at conferences and among our customers and colleagues in the field — we wanted to dig a bit more into the last point. The growing attention to compliance and resulting need for compliance automation are issues that we have only increased in severity and importance since we launched InSpec back in 2015. The severity of the need for more advanced capabilities, however, has increased. We wanted to see how well we understood the associated dynamics, in order to determine how well we were meeting that need.
To better understand how things were changing, and how we best help our users address them, we fielded a second survey late last year. With it, we polled more than 640 practitioners globally to determine their top concerns, team behaviors and implementation practices for compliance assessment and remediation.
The State of Compliance in the Enterprise
- Prior to reaching production, most teams (74 percent) assess software for compliance manually. Once violations and vulnerabilities are discovered, half of respondents still remediate manually instead of automating the process.
- Application and infrastructure teams need days (31 percent) or weeks (19 percent) to remediate security issues once they have been detected. Only 18 percent of respondents remediate in hours.
- Automation efforts are limited in scope, reducing organizations’ effectiveness when assessing and remediating security threats. More than half (52 percent) of respondents reported fewer than 25 percent of their servers covered by automated compliance capabilities.
- Application teams have different priorities than infrastructure and security teams, reporting that they care most about service reliability, whereas infrastructure and security teams care most about preventing data breaches.
- Even though regulations such as SOX, GDPR, HIPAA, PCI DSS, and FISMA apply to all sizes of deployments, respondents with fewer servers were more likely to believe they were not subject to any regulatory compliance standards. Only fifty-eight percent of respondents with 1-100 servers believed they were subject to regulation. This percentage increased with deployment size: 67 percent of respondents with 100-1000 servers, 82 percent with 1000+ servers and 100 percent with 10,000 servers.
Compliance Automation for Agile Risk Mitigation
Survey respondents reported manually assessing for compliance throughout all stages of the application lifecycle. It seems that while companies are increasingly embracing agile software development, they neglect to automate compliance processes. They open security holes faster than they can plug them, leaving their organizations vulnerable to downtime and creating rifts between infrastructure and application development teams.
As they shift to cloud native architectures, infrastructure teams find themselves stuck between developers’ speedy software development tactics, requests for service reliability, and their own responsibility for preventing data breaches. While infrastructure, application and security teams still see assessment and remediation of security issues as more important than speed of software development and delivery, their manual processes continue to limit their productivity.
Taking a ‘detect, correct, automate’ approach to assessment and remediation greatly eases their burdens, helping them detect exposures earlier, reduce malicious exploits and remediate faster. Automating the discovery, assessment and remediation of compliance errors helps both infrastructure and security teams prevent security breaches at pace with the rest of the organization. Does our InSpec solution smooth all of the bumps and plug all of the holes that every team needs in every instance? As with any security-focused solution, it would be foolhardy to say that it does. Does it put them much further down the path toward achievement of the the speed/efficiency/risk balance they all must continue to seek? We think so.
What do you think? Please leave your comments, both on the survey and its outcomes and the solutions we are developing to address compliance needs, in the comments section.
- For more information on how we can help, dig into our Compliance Automation page
- Get the white paper: “Compliance Automation: Bridging the Gap Between Development and Information Security“
- Try InSpec with this hands on learning module