Enterprise hits and misses - DevOps gets a security overhaul, analytics gets ROI, and DoorDash gets hacked

Jon Reed Profile picture for user jreed September 30, 2019
This week - DevOps gets one step closer to DevSecOps as security grabs the headlines. Lessons for analytics ROI are revealed and questioned. DoorDash gets hacked, and earns a fragrant whiff in the process.


Lead story - New data shows that DevOps + security = a winning combination by Kurt Marko

MyPOV: DevOps vendors Puppet, CircleCI and Splunk issued their annual DevOps survey, which honed in on the degree of security integration into real world DevOps practices.

After issuing the necessary caveat for vendor-sponsored surveys, Kurt writes:

This year’s Puppet, et.al. survey builds on last year’s results in which the authors developed a 5-level DevOps maturity model that categorizes practitioners based on the degree to which DevOps had been incorporated into their software delivery cycle. For 2019, the authors sought to identify any correlations between cybersecurity preparedness and an organization’s stage of DevOps maturity.

In other words: if you really have your sh!!t act together with DevOps, is your security correspondingly better? The data points to a cautious yes. At Level 5, the highest DevOps level characterized by "self service":

82% of those at Level 5 agreeing with the proposition that “our security policies and policies significantly improve our security posture.

But Kurt applies the cognitive breaks:

[The report] stops short of providing a causal connection between meticulous adherence to procedures and improved security metrics.

Indeed - though I found the report's points for integrating security into DevOps practices well stated. However, Kurt calls attention to a much bigger problem:

Until organizations can quantify the ROI on increased spending on security, adding time, expense and process overhead to software development cycles will be a tough sell to executives who see a more direct link between new products and features and their corporate and personal bottom line.

Yep - the IT industry hasn't scared straight yet. Breaches ahead:

Sadly, it will take a few more existential, company- and career-ending crises to create rapid, significant improvements in the way organizations integrate and prioritize software and infrastructure security.

One small consolation: Kurt managed to get through using the most awkward buzzphrase of all time catchphrase DevSecOps only once (well, okay, twice, but once was quoted material).

Diginomica picks - my top stories on diginomica this week

Vendor analysis, diginomica style. Here's my three top choices from our vendor coverage:

A few more vendor picks, without the quotables:

Jon's grab bag - diginomica headline-of-week crown goes to frequent champ Stuart with Pink-eyed Terminators, clucking Alexas and giant dark data thunderclouds looming overhead - Boris Johnson's Brexit Britain tech pitch to the world. Meanwhile, Neil managed to tie Dolly Parton into enterprise data management in DataOps challenge - the complicated art of making things simple.

Jerry delves further into Google's odd activities of late in Did Google achieve quantum supremacy or not? Bottom line: Google appears to have jumped the PR gun, but Jerry says we can expect self-congratulatory PR balloons and fanfare from Google in a month or two for what he calls a "milestone achievement." Twitter peeps know I have a quantum amount of issues with all of this, but I won't blow a gasket on you just yet.

Best of the rest

Waiter suggesting a bottle of wine to a customer

Lead story - are companies that lead in data and analytics pulling ahead?

MyPOV: Why yes, says McKinsey, which shared survey results in How leaders in data and analytics have pulled ahead. This is a question I've been pressing BI vendors on for a couple years now. My version is:

If data-driven culture is the goal, shouldn't companies that achieve this separate from their industry peers?

So far, I haven't heard a convincing answer. McKinsey has a dog in this fight; they advertise feature their analytics practice in this piece. Their evidence? McKinsey's Josh Gottlieb and Allen Weinberg hammer "one-off" and "adhoc" analytics efforts, arguing for a comprehensive/strategic effort instead. They continue:

The survey suggests that companies still dragging their feet do so at their own risk, because the gap between leaders and laggards just keeps growing.

And how do we quantify this gap?

Respondents from these high-performing organizations are three times more likely than others to say their data and analytics initiatives have contributed at least 20 percent to earnings before interest and taxes (EBIT) over the past three years.

Not what I'd call a definitive statistic, but then again, I've seen enough use cases from customers on an analytics journey to be convinced it's a push worth making - even if I've been unable to boil that down as the key driver to success (a great product versus a shoddy/commodified one still matters quite a bit, for example. Or: you can be measuring the wrong things with your shiny analytics tools).

Grinding axes aside, the debate is not as important as the lessons learned, and here, McKinsey's piece stands out, with tips on building a data culture, empowering employees to make decisions based on that data, etc. Then we go back to a theme of Chris Middleton's robots/jobs analysis:

While automation is becoming more prevalent in all aspects of digital life, management of the data driving these changes is still largely a human-run activity - further underscoring the need for great data talent.

And on that point, we agree.

Honorable mention

Overworked businessman


So the Labradoodle inventor apologized for creating a diseased, crazy monster. Dunno about that - I think an apology for creating a spectacularly weird dog would be sufficient. There's been a load of political whiffs and pungent satire this week, many of them tagged by Den Won't Get Fooled Again "Breaking Bad" Howlett. Here's one of his fragrant dandies from the UK on the brink.

Meanwhile, I continued my unexpected role as in-flight baby defender:

"Smart homes" continue to bring a fresh batch of nasties:

And yeah, I don't care for upbeat reports on hypothetical Facebook features. You can't incrementally improve something corrupt:

This is the equivalent of a high school making everyone wear uniforms. You're still gonna know who the cool kids are. Be liked cool or be ignored cast out. (Hardcore Rush fans know what I just did there)...

Finally, I don't think DoorDash got a big enough spanking for their breach. So they blame the breach on a third-party service provider (time to scour that terms of service methinks). Next up, this soggy noodle:

While the company says it took "immediate steps" to block further access by the intruder, it's unclear why the breach took nearly five months to notice.

And this from Ars Technica:

The breach comes about a year after some DoorDash customers said their accounts had been hacked, but DoorDash told TechCrunch at the time that there had not been a data breach.

Does this sound like a company that deserves anyone's pad thai craving Internet business? I suspect, however, they will not pay a price. At the least, change your name to DataDash, so we know what we're getting into. Never thought I'd say this, but: where is my DevSecOps? Kurt Marko, right again. See you next time...

If you find an #ensw piece that qualifies for hits and misses - in a good or bad way - let me know in the comments as Clive (almost) always does. Most Enterprise hits and misses articles are selected from my curated @jonerpnewsfeed. 'myPOV' is borrowed with reluctant permission from the ubiquitous Ray Wang.

Image credit - Waiter Suggesting Bottle © Minerva Studiom, Overworked Businessman © Bloomua, Businessman Choosing Success or Failure Road © Creativa - all from Fotolia.com.

Disclosure - Oracle, Infor, FinancialForce, MongoDB, New Relic and Salesforce are diginomica premier partners as of this writing.

A grey colored placeholder image