It's been 8 years now since Neil MacDonald coined the term "DevSecOps" (originally "DevOpsSec") - and 11 since Patrick Debois came up with the term "DevOps" itself. We've been thinking a lot recently about how we can help organizations shift security left - which led me to wonder about how many people are actually doing DevSecOps.
In my recent post on evolving your organization's security maturity, I noted that there's a lot of hype around DevSecOps, but that things are still in their early stages. With this in mind, I thought I'd gather some statistics to see how the sector is actually growing. So, what can we say about the state of DevSecOps in 2020, statistically?
Five stats we think sum up the state of DevSecOps in 2020:
The Gartner Hype Cycle for Agile and DevOps, 2020, indicates that DevSecOps is in the early stages of mainstream adoption. Gartner quotes a 20-50% market penetration among DevSecOps' target audience, and places it within the "Slope of Enlightenment" on the Hype Cycle. Gartner projects that DevSecOps will reach mainstream adoption within 2-5 years.
The Gartner Hype Cycle is a trusted source when it comes to predicting mainstream adoption of technology. That DevSecOps is placed on the "Slope of Enlightenment" shows that the technology - and the philosophy behind it - has begun to pay dividends to its adopters.
GitLab's Mapping the DevSecOps Landscape 2020 survey of over 3,650 respondents found that (of the sampled organizations using DevOps):
So 62% of respondents had DevOps implementations that were 1-5 years old.
This is interesting in light of the Gartner prediction above. DevOps, most would agree, is becoming normal practice for many organizations. The bulge of DevOps users with 1-5 years of experience, shows the development of this trend. We believe DevSecOps to be the next step in this journey - so these stats seem to support Gartner's analysis.
Sonatype also found that just 15% of respondents rated their adoption of DevOps as "mature". This is compared to 49% who said their adoption was "immature" and 36% who said it was "improving" (n=5,045).
These stats suggest that while many organizations have a DevOps strategy, few feel it's yet complete. We see DevSecOps as the next piece in that puzzle - so there's certainly room for its adoption to grow in the near future.
Everyone knows there's a disparity between the availability of skill in development and security. But the size of the issue may come as a shock. Back in June, The Daily Swig caught up with GitHub's Nico Waisman. Nico mentioned that by GitHub's reckoning, developers now outnumber security professionals 500 to one.
That's quite a scary figure. But from a DevSecOps perspective, this probably means there are plenty of organizations that could benefit from automating more of their cybersecurity. By integrating security into development, you can leverage the power of those 500 engineers, to help secure what you create.
78% of respondents to ISACA's State of Cybersecurity 2020 report thought demand for individuals with technical cybersecurity skills was increasing. The same figure for leadership positions like cybersecurity manager (46%), senior manager (33%), and CISO (29%) was much smaller.
It's not easy to fill any security role right now. But the biggest demand is for technical doers - rather than managers. And this is where DevSecOps gives the biggest gains - because it frees up time for security engineers to work their magic. This is the problem DevSecOps was born to fix.
DevSecOps might not conquer the world tomorrow - or maybe even the day after - but it's showing real promise. As we've mentioned before, it takes time to develop your organization's culture and security maturity toward practices that fit. It's not a process that can, or should, be rushed.
We've also seen that there's a very real problem in security. There simply aren't enough technical experts to go around. And in an increasingly online world, with DevOps now well established on the radar, it seems natural to try and automate that problem away. It could well be that, for DevSecOps, reality is about to catch up with the hype.