Abstract
Many organizations are failing to realize the benefits of modern software delivery, such as increased velocity, increased resiliency, higher code quality, and less unplanned downtime. A successful DevSecOps transformation needs to include a philosophy that encompasses processes, practices, and a culture of continuous learning and improvement.
In 2009, the general understanding in the IT industry was that projects would run late, underperform, or simply fail, resulting in fear and resistance from business users. Despite the advancements following the , iterative development was failing to complete the “last mile” to continuous delivery.
Patrick Debois introduced the term “devops” to capture his vision for a future where developers and sysadmins would work together to deliver reliable software faster. Since then, the movement has evolved to DevSecOps—incorporating security into the culture, principles, and processes created to streamline software release cycles.
According to the State of Agile Survey, 71% of IT organizations have current or planned DevSecOps initiatives. In fact, Gartner predicts that 50% of the CIOs who have not transformed their capabilities by 2020 will be displaced from their leadership teams.
Yet despite the rapid adoption, many organizations are failing to realize the benefits of modern software delivery, such as increased velocity, increased resiliency, higher code quality, and less unplanned downtime. Through our work across industry and government, we’ve seen organizations invest heavily in DevSecOps toolchains only to replicate legacy processes. That’s because a DevSecOps solution is more than tools—it’s a philosophy that encompasses pipeline automation processes with practices that takecode changes all the way through production.
The growing ecosystem of tools and vendors can make organizations lose focus on the most critical tenet of successful DevSecOps transformation: a culture of continuous learning and improvement.
The founders of DevOps envisioned a multidisciplinary approach grounded in for the underlying business. These are human characteristics that cannot be automated—they are qualities cultivated through a strategic vision, transformational leadership, and employee empowerment. The challenge is that culture change is a wicked problem; every organization consists of multiple unique cultures, and there are no right or wrong approaches to transformation.
No one has the perfect recipe for the ideal DevSecOps culture, but more than a century of consulting has taught us a few best practices for getting started. Step one: Develop your rallying cry for DevSecOps transformation.
Consider hosting a cross-functional retrospective to develop a common understanding of the challenges in current delivery processes. Is there an ingrained “us vs. them” mentality across your development and operations teams? Do your developers respect the value of sysadmins? It’s important to understand the problems you’re trying to solve and the experiences and beliefs that have driven your current culture when developing your DevSecOps vision.
The found that the characteristics of transformational leadership—vision, inspirational communication, intellectual stimulation, supportive leadership, and personal recognition—are highly correlated with strong IT performance. These characteristics set the tone for the organization and reinforce high-trust cultural norms.
If you’re responsible for leading a DevSecOps transformation, consider a public pledge to serve as the chief culturist. Read everything you can about DevSecOps, go to conferences, and build relationships with other leaders on the journey to modern software delivery.
Once you have a chief culturist and a resounding DevSecOps rallying cry, the next step is to assess your DevSecOps maturity level. Our Enterprise DevOps Playbook includes a maturity questionnaire with a series of questions related to seven core DevOps practices.
“You must understand where you are in the spectrum, and more importantly, what you want to get out of each practice area to drive DevSecOps adoption.”
Beyond these practice areas, it’s also important to determine which stakeholders will be affected by the DevSecOps implementation, and how. Clearly defining the changing policies and processes and gaining buy-in from stakeholders significantly reduces the quality and security risks of DevSecOps implementations.
If you’ve come this far, you likely have an idea of the budding change leaders within your organization. Now’s the time to identify and mobilize these influencers across functions and teams. Consider creating a community of practice or guild to assemble and empower change agents, and provide resources for training and experimentation. At ĢƵ Allen, we provide our people with subscriptions to Udemy for on-demand training and host crowdsourcing challenges to encourage entrepreneurship. These leaders should espouse the principles of DevSecOps and help advocate and champion the transition.
In addition to IT roadmaps, we recommend designing journey maps to capture the movements that matter for your stakeholders. The journeys should include planned touchpoints to engage, train, and support each audience, including insights into what people will think or feel during each interaction.
At the individual level, these touchpoints should focus on foundational capabilities and good habits. If you roll in a dynamic continuous integration/continuous delivery pipeline that can deploy multiple times a day but you don’t have proper software configuration management, you’re basically deploying garbage faster. Defining, recognizing, and rewarding good habits such as code coverage and continuous integration are fundamental to a high-performing DevSecOps culture.
Organizations fall into the DevSecOps technology trap because they expend all their resources on the toolchain and assume that the culture and foundational practices will follow. But real world DevSecOps failures show that investment in a clear vision, defined processes, and empowered people are critical for successful transformation.
Tackling the wicked problem with DevSecOps really comes down to stepping back and asking: what are we trying to do here, who do we need to get it done, and what is the best way to do it?
