Leveraging DevSecOps to Unify IT, OT, and Cybersecurity Practices

The convergence of information technology (IT) and operational technology (OT) within smart manufacturing processes—including sectors such as manufacturing, energy, and telecommunications—has introduced complex cybersecurity challenges. In this landscape, DevSecOps has emerged as a vital solution, integrating security into every phase of the software development lifecycle, say industry experts at MSC 2024 ECHO. 

“It is crucial to integrate IT and OT, two seemingly distinct yet interconnected domains, to mutually strengthen and enhance cybersecurity,” says Lino Avila, Cybersecurity Associate Director, Seguros Monterrey New York Life

As cyber threats grow increasingly complex and frequent, traditional security measures in manufacturing often prove inadequate for protecting critical industrial systems. DevSecOps offers a comprehensive solution by integrating development, operations, and security from the outset of software processes, fostering a culture of collaboration and continuous security. This methodology is grounded in several key principles, including security by design (shift-left security), automation, and the integration of security controls within continuous integration and delivery (CI/CD) pipelines.

The primary objective is to identify and mitigate vulnerabilities during the early stages of development, rather than addressing them post-deployment, while maintaining a state of constant vigilance through ongoing monitoring. “With DevSecOps integrated from the beginning to tackle vulnerabilities, the number of issues is reduced by 50% compared to traditional approaches," says Felipe García Vivanco, VP of Information Security and CISO, Televisa Univision.

According to UpGuard, the implementation of DevSecOps enables Mexican companies to manage both IT and OT security on a unified platform, facilitating real-time monitoring and protection of systems. This integration optimizes operational efficiency without compromising security, as practices such as automation and continuous monitoring empower organizations to proactively identify and mitigate vulnerabilities, thereby enhancing their overall cybersecurity posture and reducing the likelihood of incidents.

Despite the clear advantages of DevSecOps, its implementation in Mexico encounters several significant challenges. "Working on the DevSecOps component is crucial in cybersecurity. While development may experience some delays, security will make significant strides," says Enrico Belmonte, CIO, Peñaranda.

One of the most pressing issues is the shortage of specialized talent. The country continues to grapple with a lack of professionals trained in cybersecurity, particularly in the convergence of IT and operational technology (OT) environments. To address this gap, training teams in methodologies such as security-as-code and continuous compliance is crucial for effective implementation.

Moreover, many industrial systems lack the update capabilities and agility typically found in IT systems, complicating the integration of DevSecOps in these environments. "Cultural change is a challenge, and there is a lot of lack of awareness. This is where training solutions for the entire IT department come into play," says Belmonte.

In addition, more conservative sectors within the industry may resist adopting these innovative methodologies due to concerns about initial implementation costs and potential operational disruptions. As a result, leaders overseeing DevSecOps initiatives must strategically secure the necessary resources, as obtaining financial support from the organization can be challenging for implementing optimal strategies.

"Conducting a controlled hacking exercise is beneficial for determining effective budget allocation and securing necessary resources from the organization," says Chava Valades, Associate Director - Cyber Security Defense Ops, AstraZeneca

Another critical challenge lies in regulatory compliance. Organizations must ensure that their security practices align with both local and international regulations, such as the General Data Protection Regulation (GDPR) and the Federal Law on Personal Data Protection. To navigate these complexities, a robust compliance automation strategy is necessary to continuously verify adherence to relevant regulations.

As companies strive to fully optimize smart manufacturing, the adoption of DevSecOps emerges as a critical strategy for unifying information technology (IT), operational technology (OT), and cybersecurity practices. In the coming years,  UpGuard, anticipates that a growing number of organizations—particularly within the industrial and energy sectors—will embrace this approach, driven by the increasing utilization of the Internet of Things (IoT) and the imperative to safeguard critical infrastructure.

"We must adapt to the rapidly changing landscape, as attacks have surged by 300% in just two years. It is crucial to modernize continually in response to emerging threats while ensuring operational stability," says Jorge Peralta, Director of Information and Communications Technologies at Lotería Nacional.