Times are changing. Hacking attempts are on the rise, and the consequence of a data leak can be devastating. Many companies underestimate their hacking value. Cyber-criminals steal personal data from various sources and often combine and sell it to anyone willing to pay. Any organization that processes personal data is a potential target. In the past, companies could easily handle incidents with a proper incident response process. But today, the increasing exposure and financial impact can be business threatening. Organizations must comply with regulatory policies, and failing to do so can result in steep fines or other repercussions.
Security challenges have also changed rapidly. In a world dominated by web applications, mobile platforms, big data, cloud solutions and social interactions, the risks are no longer purely technical (such as encryption and network security). Businesses need to ask what's necessary to the business and what merely increases the risks. Without a clear answer to these questions, security experts can only attempt to mitigate the technical risks, requiring much effort with minimal risk reduction. KPN faced several challenges. Their landscape consisted of multiple back-ends and front-ends, each containing different information about the same customers. This fragmentation made it difficult for employees and users to gain insight into the complete profile. It also made it difficult to implement changes in the systems due to multiple dependencies.
Integrating security into software development appears to be an overwhelming challenge. But KPN and Xebia accomplished it, proving was only possible with the right approach. Together with Xebia’s consultation, KPN decided to create a single front-end in front of the multiple back-ends. Using an Agile approach, KPN gained the flexibility to connect one system at a time and implement continuous improvements to the system.
The Xebia SecDevOps approach resulted in a better understanding of security within the teams. It made it easier to implement changes and reduced the time needed for validation. Production incidents have also decreased, proving that this approach works. Development and business can confidently apply changes without worrying about the security impact. They can focus more time on new functionality instead of spending it on fixing incidents. Integrating security into the software development lifecycle has catalyzed development within KPN.