Long ago in the time “Before the Internet” IT departments had developers that created applications and handed the code to QA testers that verified the functionality. Then the Operators put it into production and monitored it so that the help desk would not get calls from angry users. If you know what a 3270 terminal is then you lived in this simpler time. Technology advanced in the 1990’s Berners-Lee brough the “World-Wide-Web” to life to make the Internet useful to non-geeks and inadvertently opened pandora’s box. Although ransomware attacks had been recorded since 1989 there was no widespread execution as the distribution was physical via floppy disks. The Internet drove the interconnection of businesses and users making it easy for threat actors to distribute malware and ransomware, however there was no easy and covert way to collect payment. This limited crimes to small dollar amounts where payments could be collected via credit card.

In 2009, the threat actor problem of how to easily extract payments, especially in larger amounts, would be answered with the release of a digital currency called Bitcoin. Since Bitcoin is distributed and decentralized it exists outside monitoring capabilities of the central banks. The ability to obfuscate digital payments in Bitcoin makes it more difficult to track while helping them evade law enforcement and was quickly adapted by hackers.

Also in 2009, the agile development community, in particular Paul Dubois, was frustrated that development and operations teams were not working together and causing himself additional work and unnecessary heartburn. To bring these two groups together the first DevOps conference was held in Belgium. DevOps through automation of the build, deploy, and test processes, along with improved collaboration between developers, testers, and operations, delivery teams can release changes faster.

Ransomware as a service emerged in 2012 with the Reveton ransomware. Then CyryptoLocker raked in $20 million in Bitcoin in 2013 by using email as a distribution method. As Bitcoin climbed in value to over $1,000 in 2014 the target of criminal changed from users to businesses.

Adding a Security focus to DevOps is attributed to Shannon Lietz of Intuit in 2014. Prior to this organizations followed the Software Development Life Cycle processes to create high-quality software that meets customer expectations while minimizing project risks. However, security testing was left until after the software was developed. This was fine when software release cycles were long, but the Agile methods were speeding up release cycles. Shannon’s vision was by embedding security choices into DevOps (hence DevSecOps) development lifecycles could be sped up without sacrificing security. Software teams can detect security issues at earlier stages and reduce the cost and time of fixing vulnerabilities. As a result, users experience minimal disruption and greater security after the application is produced.

Application development prior to 2014 was focused on speed to market and security was really an afterthought. Threat actors now with the power to stop the operations of an organization and threaten its viability started to demand millions of dollars. One might guess that Security would become a requirement but the lure of the Cloud with its OPEX centric business model with utility like pricing blinded the CXOs of the world.

In 2023 Ransomware at over $8 trillion in revenue was the 3rd largest economy in the world measured by GDP as reported by Cybersecurity Ventures. In 2024, the average ransomware payment was $2.74 million dollars out of a $5.2 million total cost. Microsoft and Google announce the adoption of Rust, a memory safe, development applications as part of broader Secure Development Practices.

From my perspective Bitcoin is a key enabler of cybercrimes as it obfuscates the criminal and enables large untraceable digital transactions. Threat actors are no longer a lone hacker but organized crime syndicates and nation state entities.  They have funding, purpose and the skills to disrupt or destroy. Historically organizations fund value creation activities, not nice to do activities. However, the extreme external security treats that have extinction level consequences force organizations into making security investments in technology and people. Organizations are realizing that security is more than a bolt on technology like antivirus or endpoint monitoring tools. Security needs to be designed into the people, the culture, the processes and products. The role of DevSecOps has emerged as a direct result of Bitcoin.

What we need in 2025 is “Security as an ethos,” this means that the concept of security is not just a set of practices or procedures, but a deeply ingrained mindset and cultural value within an organization or community, where everyone actively prioritizes and contributes to safeguarding information, systems, and people, viewing it as a fundamental responsibility and not just a task to be checked off.