Notifications
Clear all
Topic starter
25/06/2026 10:39 pm
TL;DR: 49% of enterprises were already integrating security into existing DevOps practices, according to DigiCert’s 2017 survey, while the report argues that security and development both improve when security is built into delivery workflows. The governance issue is not tooling alone but whether security is embedded early enough to shape change, ownership, and process design.
NHIMG editorial — based on content published by DigiCert: New Report Gives Recommendations for Integrating Security into DevOps
By the numbers:
- 49% of enterprises are currently integrating security into their existing DevOps practices.
- The survey assessed more than 300 individuals at hundreds of organizations throughout the U.S.
Questions worth separating out
Q: How should security teams integrate identity controls into DevOps pipelines?
A: Start by moving identity checks to the earliest practical stage in delivery, such as pre-merge, build, or pre-deploy gates.
Q: Why do security controls fail when they sit outside DevOps workflows?
A: They fail because they arrive after the design choices are already locked in and teams are under pressure to ship.
Q: How do teams know whether integrated security is actually working?
A: Look for fewer ad hoc exceptions, less manual rework, and more consistent handling of identities, secrets, and policy across delivery teams.
Practitioner guidance
- Embed security checks in pipeline gates Apply policy checks to code, infrastructure, and configuration before deployment so access and secret issues are caught while change is still cheap to fix.
- Standardise identity controls across delivery teams Define the same rules for service accounts, secrets, and deployment permissions across environments to reduce exceptions and shadow practices.
- Assign security ownership to DevOps initiatives Name a security lead for each major delivery stream so identity risk is handled as part of delivery design rather than after release.
What's in the full article
DigiCert's full blog post covers the operational detail this post intentionally leaves for the source:
- The survey framing and respondent mix across IT, development, and security roles.
- The four recommended practices in their original ordering and wording.
- The broader discussion of how development agility and information security are meant to reinforce each other.
- The survey context behind the 49% integration figure and the report's full recommendation set.
👉 Read DigiCert's report on integrating security into DevOps →
Security in DevOps: what IAM teams need to change?
Explore further
25/06/2026 11:16 pm
Security outside DevOps is a governance failure, not a tooling gap. The report’s central tension is that enterprises want speed and control at the same time, but separate processes force them to choose one over the other. That creates predictable bypass behaviour, especially when development teams are under delivery pressure. The practitioner conclusion is straightforward: if security is not part of the delivery system, it will be treated as optional.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: What is the difference between embedding security in DevOps and adding more approvals?
A: Embedding security means putting policy and identity checks where work already happens. Adding more approvals usually just increases delay and encourages workarounds. The difference is whether security changes the operating model or simply adds another gate in front of it.
👉 Read our full editorial: Integrating security into DevOps remains a governance problem
