Cathay Creates a New Generation of Security Champions with DevSecOps Transformation
[The content of this article has been produced by our advertising partner.]
In an increasingly interconnected world, technological innovations can bring about new opportunities that come with great risks. From artificial intelligence to cloud computing, companies are now relying on digital solutions to drive value and enhance customer experience. However, by being one of the firsts to jump on the bandwagon of this rapid evolution, companies can unwillingly expose themselves to cybersecurity threats and create an expanded attack surface for cyber criminals and hackers.
Cathay is tackling this challenge head-on by embracing a DevSecOps approach to security with the support of Amazon Web Services Professional Services (AWS ProServe). As one of the world’s leading premium travel lifestyle brands, Cathay seeks to set new benchmarks in the aviation industry, ensuring that safety and compliance are upheld at every layer of operations as they soar to new heights.
The traditional approach of software development treated cybersecurity as an afterthought, addressing vulnerabilities later in the lifecycle and testing them separately. With the delivery teams often facing tight deadlines, the reactive approach only led to two less-than-ideal scenarios when a security issue was detected: the launch either had to be delayed, or vulnerabilities were forced to be fixed at a later date.
Key enablers of this shift are Amazon Inspector and CodePipeline, automated tools that facilitate continuous vulnerability assessments and delivery pipelines respectively. The automated nature ensures that security never takes a backseat, even when the team is under the pressure of time. Any code that is completed will be scanned for vulnerabilities, so they can be flagged and fixed before moving on to the next stage.
For years, security assumed a subsidiary role in software development in favour of speed to market, but Cathay’s transformation resulted in a 55% reduction in time-to-market for new projects, demonstrating that security and operational efficiency can in fact go hand in hand. Security does not have to be a burden to the organisation when it is integrated seamlessly, and the delivery of safe applications can be accelerated while maintaining compliance with industry standards.
Changing Mindsets and Fostering Collaboration
In hindsight, knowing the benefits of DevSecOps and the success of the digital transformation, it is easy to support the brand’s transition. One might even question why it didn’t begin earlier. However, similar to many other major organisational changes, the journey was not all smooth-sailing, and a significant cultural shift was necessary to overcome internal obstacles to get everyone on board.
Traditionally speaking, software developers were confined to their usual roles of building, testing, and deploying code, with little involvement in security. To address initial resistance due to the added workload, Cathay implemented a top-down approach to redefine roles, fostering a culture of shared responsibility amongst development, operations, and security teams. As a result, every member of the team worked collaboratively to ensure security would be integrated into every layer of the organisation.
With the aim to raise awareness, the ‘Security Champion program’ was developed in partnership with AWS ProServe to bridge the skills gap and inspire continuous learning. This initiative essentially “trained the trainer”, empowering members of the team with the knowledge and tools needed to make informed security decisions independently, while at the same time opening room for more open dialogue and cross-team discussion.
With the support from management, synergy across the company gradually took place. By taking ownership of security, the premium travel lifestyle brand has cultivated a workforce of security champions, simultaneously breaking down silos between teams. With open communication and shared accountability now in the company’s DNA, Cathay is on its way to building a more resilient organisation to navigate the evolving cybersecurity landscape.
Setting Benchmarks and Flying Higher
The DevSecOps migration at Cathay began in 2022, and the results have been evident. Existing applications have been thoroughly vetted for vulnerabilities, with false positives filtered out to streamline the software development process. By integrating advanced tools and implementing industry best practices, security is now a fundamental component of the airline’s operations.
“AWS has been a great partner, helping us every step of the way in the software delivery lifecycle and establishing a framework that works for us,” says Jack Zhang, Head of IT Solutions, Customer and Commercial at Cathay. By leveraging AWS's advanced cloud capabilities and tools, Cathay has been able to advance its security posture to meet that of more regulated industries.
Furthermore, the adoption of DevSecOps has also established clear guidelines for software development, encouraging external vendors and agencies to follow suit. According to Naveen Kumar Jaisankar, DevSecOps Practice Lead at Cathay, “Coding is a complex aspect of software development: a piece of function can be written in multiple ways. We are setting the standard for everyone to follow.”
By pushing for a higher standard, Cathay is making a collective step for the airline industry as a whole, inviting counterparts to up the ante and challenge the status quo. As one of the leaders in the industry, the company’s openness to innovation and digital transformation serves as a testament to its dedication to providing safe, seamless, and secure experiences for customers.
Some may say that security is a journey, not a destination. Nevertheless, with cyber threats increasingly sophisticated, reputable brands and companies must rethink their approach to security. Many others seem to have warmed to this security-focused practice, with the DevSecOps market size projected to reach USD 58.32 billion by 2031, expanding at a staggering compound annual growth rate of 30.76% from 2024 to 2031.
For Cathay, adopting DevSecOps represents a significant step forward in its cybersecurity journey. Under the guidance of AWS, the brand has proved that it is possible to strike a balance between safety and speed. With the assistance of automated tools and streamlined processes, developers can now focus on curating value-adding experiences for customers, combined with a new-found understanding of best safety practices.
By creating a new generation of security champions, Cathay is adding a protective layer to its business operations, while cementing its position as a leader in the aviation industry. As the premium travel lifestyle brand soars to new heights, its commitment to security, compliance, and innovation provides inspiration for organisations worldwide. With the extensive success achieved within a mere two years, the DevSecOps migration will continue, as the future of cybersecurity lies in collaboration, automation, and a relentless focus on excellence.