Developing the Blueprint for DevSecOps Success

By: Steve Hyland, VMD Corp, Solution Architect/Agile Practice Lead

People make all the difference

A recent McKinsey Digital report identified that talent and culture issues pose the greatest challenge to technology transformation. As someone who lives and breathes Agile, I realized that DevSecOps is no different, and that if you want a successful change, you have to start by realizing that people are impossible to separate from that change. You can’t have an orchestra if the brass refuses to play, and a company works no different. Don’t make the mistake of over-emphasizing the technologies and tools without effectively communicating the impact that they’ll have on the organization overall. In any technology transformation, you cannot afford to ignore the human element.

Admittedly, convincing people to change can be a difficult, stubborn, and even painstaking process. Nido Qubein once said, “Change brings opportunity,” but changing habits and raising awareness across all levels of an organization has never been easy. Ask any leader, and they’ll tell you that forcing change is like trying to push a car: it’s much easier to just start the engine. Persuading and changing people’s attitudes is a challenge, and not everybody is going to go with the flow of progress. While this inevitably threatens the balance of the emerging structure, dealing with naysayers sternly and openly will foster an environment that lets everybody see that you are confident in this new direction. Motivation is key, and to that end you have to provide a healthy learning environment that offers people the time and space to adapt to the change and gain a full understanding of how important it is. Below we’ll go over some best practices you can use to make sure your people are more likely to embrace the change involved in building a sustainable blueprint for a successful DevSecOps transformation.

Build a culture founded on performance

All the DevSecOps processes and technologies in the world won’t achieve the desired results if your culture is strained by reorganizations, burned-out employees, and change fatigue. Remember, your culture is a collective of sustained patterns of behavior supported by shared experiences, values, reward systems, and business routines. You must align your culture to your strategy, and how you go about this can reap huge potential benefits, improving communication, optimizing collaboration, and building more engaged teams to drive performance. Here are some actions you should take to achieve this:

  1. Emphasize openness, transparency, and fairness. One of the most important things to avoid is “office politics.” Helping people change by being open, transparent, and fair will foster much more loyalty and respect than pettiness or favoritism. Strive to create an environment where people feel free to raise issues and concerns with a combination of communication, education, and action.
  2. Own your role. First, take a good, hard, honest look at and ask yourself, “Am I part of the problem?” Take ownership and accountability for your shortcomings. There may be things you can personally change that will have a positive impact. You should consider your own personal attitude, how you communicate with others, and the effort you put forth in making positive contributions. Make sure you know your people and their capabilities, satisfaction, trust levels, and expectations.
  3. Use influencers to make things better. Acknowledge that true leaders are not necessarily those in charge. Identify the natural leaders and let them use their influence to help others better support and accept the change. Hopefully this will trickle out to their teams and, ultimately, throughout the business.
  4. Show patience. Yes, patience is a virtue. You need to ensure all aspects of your culture are rooted in your people and accept that refining this requires great effort and time, and that it will never be perfect. Identify what you can do today, don’t take on more than you can handle, and work forward in small chunks to implement change and improve your culture.
Break down traditional barriers and silos

Development, operations, and security teams often operate within their own distinct bubbles, only interacting and communicating during hand-offs or when there are problems with a product. You have got to challenge the way these teams work together and how they work with the whole business. By forging clear feedback loops, you can craft better, more informed decisions quicker and at lower levels. You need to assemble cross-functional teams made up of exceptional and influential people from all areas to serve as evangelists of this change, imbued with the power to make decisions and take action. Designated security advocates are great conduits for this role and embedding them into cross-functional Agile teams is a good way to break through these respective bubbles and employ shift-left principles. Ideally, these advocates are actively involved in the software delivery pipeline to ensure security concerns are addressed as early as possible in the development life cycle. They can also assist in the triage of security bugs or vulnerabilities and help foster a “security mindset” by highlighting the importance of security across all areas of the business.

Invest in training and professional growth

Bill Gates once said, “The moment you stop learning is also the one in which you will stop leading.” A stagnant leadership will nearly always beget a stagnant workforce. Technology transformation, including DevSecOps, begs for a strong head of the house, and requires that you train not only your change agents, but your executives, managers, and leaders as well. This ensures that the vision is set and properly disseminated throughout the organization, the appropriate actions are taken to drive the change, and the path for implementing the change is clearly communicated to the people in the organization. Additionally, your training strategy must be grounded in your business goals, policies, and standards for software development, operations, and security. Learning methods and channels must be elastic and adaptable. It is imperative that existing staff and new hires get the appropriate training and tools they need to do their jobs. Doing so will foster good development, operations, and security staff. Nurturing this kind of environment will allow the delivery of greater innovation, repeatable processes, higher quality, and more rapid release of secure software.