UK organisations are experiencing a plethora of DevSecOps implementation challenges as decision makers underestimate the pain-points, research finds.

74% of UK businesses and public sector organisations suffer increases in the most severe category of system failure – P1 incidents – after implementing DevSecOps practices, new research by cloud consultancy, Capacitas reveals.

The report highlights how organisations with DevSecOps have failed to optimise operations through inadequate automation and excessive focus on technology, rather than people and processes. A high proportion of those using DevSecOps (87%) said it had taken between three months and one year to embed the culture, and yet many still struggle to make it work.

Only 55% of organisations working with DevSecOps said its practices are fully integrated and working at the level they want. This is in part due to the 47% of organisations admitting there was insufficient collaboration between teams, with a similar number (51%) citing that delivery teams are resistant to change. Furthermore, four-in-ten (40%) said they still have significant internal challenges with security, indicating security teams remain dissatisfied with the release output.


The survey also highlighted how those planning on implementing DevSecOps practises are underestimating the level of training required.  Whilst only a quarter (26%) of organisations in the planning stage foresee a need for more internal training post-implementation, the reality is over half (52%) of those operating with DevSecOps have had to provide additional internal training.

Another area being underestimated by those in the planning phase include security expertise. Only 18% of those planning to implement DevSecOps expect a lack of security expertise to cause them a major difficulty, compared with the reality that almost 1 in 3 (30%) of companies admit that it has caused them a major challenge.

Thomas Barns, Service Design Director, Capacitas said: “Everyone is under pressure to achieve faster time-to-market, but it is illogical for DevSecOps implementations to lead to more P1 incidents that can cause irreversible financial and reputational damage, not to mention weaken customer relationships.

“The move-fast-and-break-things approach can only work up to a point – organisations are offsetting the many benefits of DevSecOps by compromising on quality and resilience for speed when they do not need to. Business leaders must prioritise security best practice and understand that DevSecOps requires a culture shift, which will bring people challenges. But with the correct planning and ways of working, it is possible to have it all.”

Despite the challenges, more than eight-in-ten said DevSecOps has improved developer productivity and almost all respondents said they have seen the practice deliver improvements across consistency, cost-reduction, speed of delivery and deployment frequency.

And whilst 97% of current users firmly believe it is delivering ROI, nearly four-in-ten (38%) admit they cannot extract any useful insights from the metrics they collect, highlighting a clear need for external support.