Puppet, the standard for automating the delivery and operation of the software that powers everything around us, has revealed the findings of its first State of DevOps: Industry Report Card. The report, based on nearly 3,000 responses collected through Puppet's eighth annual State of DevOps survey, examines how key industries perform not only in their DevOps success and progression but also in their ability to integrate security into their DevOps practices.
The report findings include:
- The technology industry is the pack leader across the board in terms of both DevOps maturation and integrating security into the software delivery lifecycle.
- Despite the sensitive information this industry handles, the financial services and insurance sector scored the lowest on security integration of any industry in the report.
- This industry is also further behind on evolving their DevOps capabilities likely because they are constrained by a higher regulatory burden both in terms of volume and complexity.
- The retail industry surpasses all others, even technology firms, when it comes to deploying on-demand.
“Integrating security into your DevOps practices can be challenging, but when done correctly is proven to pay off. Security should not be an afterthought; it must be a shared responsibility across teams during every stage of their software delivery lifecycle,” said Alanna Brown, Sr. Director Community and Developer Relations at Puppet. “In this report, we provide a birds-eye view of how each sector is performing when it comes to security integration, and supply practical advice on how best to drive DevOps initiatives forward based on their unique business characteristics and overall industry trends.”
Industries were measured based on their overall DevOps maturation and current state of security integrations. Here is how each industry faired:
- Technology: The technology industry leads the way for both DevOps maturation and security integration for requirements, design, building and testing. One interesting observation around this industry is that 35 percent of these companies view security as a shared responsibility by all teams, not just the security team — compared to the industry average of 31 percent.
- It also had the highest degree of leadership support for DevOps initiatives. 28 percent of technology respondents say that leadership always supports DevOps initiatives.
- Financial Services and Insurance: This sector has the largest number of organizations that are in the group characterized as Medium on the DevOps evolution journey. Conversely, they have the lowest number of organizations that are characterized as High. This shows that the financial services and insurance industry have a solid foundation of DevOps practices to build upon, but advancing beyond the middle is challenging.
- Audits also stand out in financial services and insurances and not in a good way. Only 17 percent of financial services and insurance industry respondents strongly agree with the statement “Our audit process helps minimize risk to the business.” This is the lowest of all the industries — the overall average is 24 percent.
- Telecom: The telecom industry has made significant progress to evolve its DevOps practices. The number of companies that scored in the High category of the DevOps evolution rose 42 percent since last year’s survey. One glaring challenge with this industry is it has the highest level of friction between security and delivery teams — 19 percent of companies reported friction when collaborating together.
- Retail: The retail industry has the highest percentage of firms that can and do deploy on demand — 57 percent are capable of deploying to production on demand and 28 percent say that they are actually deploying on demand. This industry also resolves their critical vulnerabilities the fastest with 53 percent reporting remediation in under one day.
- Government: Conversely to the retail sector, government agencies reported the slowest time to remediate critical vulnerabilities with three percent of respondents being able to remediate in less than one hour and 24 percent able to remediate in less than one day. In terms of security integration, there’s no real middle ground in the industry, 43 percent of respondents report either significant integration or full integration while 42 percent have no or minimal integration.
