DevOps is more rapid and secure in some industries than others

Puppet's most recent survey of 3,000 developers finds not all DevOps efforts are created equal.

If you are a proponent of rapid and secure DevOps, your success with these efforts may depend on your industry. Companies in the technology and telecom sectors lead the way in DevOps deployments and related security integration, while financial services and government organizations are only so-so. 

That's the gist of a recent analysis of its survey of 3,000 developers released by Puppet, part of its "2019 State of DevOps: Industry Report Card." The survey, examines how key industries perform not only in their DevOps success and progression but also in their ability to integrate security into their DevOps practices.

Industries were measured based on their overall DevOps maturation and current state of security integrations. Here is how each industry fares:

Technology: "A" in DevOps, "A-" in security integration. The technology industry leads the way for both DevOps maturation and security integration for requirements, design, building and testing, the study's authors state. "One interesting observation around this industry is that 35 percent of these companies view security as a shared responsibility by all teams, not just the security team - compared to the industry average of 31 percent." Close to half, 49, report they can "deploy on demand to production."

Seventeen percent of tech companies could be considered "highly evolved" in their DevOps practices -- up from 12 percent in the previous year's survey.

Technology companies also showed the highest degree of leadership support for DevOps initiatives -- 28 percent say that their leadership always supports DevOps initiatives. Of course, this begs the question -- what about the 72 percent of tech leaders are not being super-supportive of DevOps? Even in the most advanced industry group for software releases, the vast majority are still operating somewhat under the radar when it comes to DevOps. 

Telecom: "A-" in DevOps, "B" in security integration. The telecom industry has made significant progress to evolve its DevOps practices, but they are somewhat slow and siloed in their processes. Seventeen percent of telecoms could be considered "highly evolved" in their DevOps practices -- more than double the number in the previous year's survey (eight percent). 

However, only 31 percent of telecom IT managers report they can deploy on demand to production, making this the lowest of the industry categories covered. Another challenge is that it also has the highest level of friction between security and delivery teams - 19 percent of companies reported friction when collaborating together.   

Retail: "B" in DevOps, "C+" in security integration. IT managers in the retail sector can pride themselves on being the fastest-moving of the bunch. This industry has the highest percentage of firms that can and do deploy on demand - 57 percent are capable of deploying to production on demand. This industry also resolves their critical vulnerabilities the fastest with 53 percent reporting remediation in under one day. Eighteen percent of retailers could be considered "highly evolved" in their DevOps practices -- up from nine percent in the previous year's survey.

Financial Services and Insurance: "B" in DevOps, "C-" in security integration.  Financial services firms seem to be stalled in their DevOps growth. Only eight percent of financial companies could be considered "highly evolved" in their DevOps practices -- down from nine percent in the previous year's survey.  "Many organizations in this industry have solid DevOps foundations to build upon, but face challenges evolving to a high level," the surveys author's state. "Fifty-nine percent of respondents agreed that technology and processes limit their ability to deploy - representing an opportunity for senior leadership to mandate more standardization and agile methods of working."

Audits also stand out in financial services and insurances -- and not in a good way, the survey shows. Only 17 percent of financial services and insurance industry respondents strongly agree with the statement "Our audit process helps minimize risk to the business." This is the lowest of all the industries -- the overall average is 24 percent.

The problem is many of these organizations may be too big to succeed. "The majority of financial services and insurance firms we surveyed have a centralized security function. In a large enterprise, these security teams can support hundreds of application development teams," according to the survey report's authors. "Security is viewed as a bottleneck and these teams are so buried in manual processes that they have little time to invest in improvements." Only 33 percent of financial services and insurance firms are able to prioritize automating security controls over feature delivery -- the second lowest of all industries.

Government: "C" in DevOps, "B-" in security integration.  Perhaps surprisingly, government IT shops are providing to be among the fastest-moving operations of the bunch. A total of 41 percent of government agencies can deploy on demand, coming in second to last for all industries. Government also had the highest number of respondents report that they were able to deploy to production between once a week and three times a month (15 percent) and once a month (14 percent). 

Eleven percent of government agencies could be considered "highly evolved" in their DevOps practices -- up from seven percent in the previous year's survey.  

The government sector also leads the way in security integration -- 43 percent report either significant integration or full integration. Why the relatively low marks, then? The Puppet survey's authors report "government agencies were below average at integrating security into the early phases of the software delivery lifecycle -- requirements gathering, design, build, and test -- including having the lowest percentage of agencies with security integrated into the build and design phases.". In addition, government agencies reported the slowest time to remediate critical vulnerabilities with three percent of respondents being able to remediate in less than one hour and 24 percent able to remediate in less than one day."