We're building value and opportunity by investing in cybersecurity, analytics, digital solutions, engineering and science, and consulting. Our culture of innovation empowers employees as creative thinkers, bringing unparalleled value for our clients and for any problem we try to tackle.
Empower People to Change the World庐
Abstract
Many organizations are failing to realize the benefits of modern software delivery, such as increased velocity, increased resiliency, higher code quality, and less unplanned downtime. A successful DevSecOps transformation needs to include a philosophy that encompasses processes, practices, and a culture of continuous learning and improvement.
In 2009, the general understanding in the IT industry was that projects would run late, underperform, or simply fail, resulting in fear and resistance from business users. Despite the advancements following the , iterative development was failing to complete the 鈥渓ast mile鈥 to continuous delivery.听
Patrick Debois introduced the term 鈥渄evops鈥 to capture his vision for a future where developers and sysadmins would work together to deliver reliable software faster. Since then, the movement has evolved to DevSecOps鈥攊ncorporating security into the culture, principles, and processes created to streamline software release cycles.
According to the State of Agile Survey, 71% of IT organizations have current or planned DevSecOps initiatives. In fact, Gartner predicts that 50% of the CIOs who have not transformed their capabilities by 2020 will be displaced from their leadership teams.
Yet despite the rapid adoption, many organizations are failing to realize the benefits of modern software delivery, such as increased velocity, increased resiliency, higher code quality, and less unplanned downtime. Through our work across industry and government, we鈥檝e seen organizations invest heavily in DevSecOps toolchains only to replicate legacy processes. That鈥檚 because a DevSecOps solution is more than tools鈥攊t鈥檚 a philosophy that encompasses pipeline automation processes with practices that take听code changes all the way through production.
The growing ecosystem of tools and vendors can make organizations lose focus on the most critical tenet of successful DevSecOps transformation: a culture of continuous learning and improvement.听
The founders of DevOps envisioned a multidisciplinary approach grounded in 听for the underlying business. These are human characteristics that cannot be automated鈥攖hey are qualities cultivated through a strategic vision, transformational leadership, and employee empowerment. The challenge is that culture change is a wicked problem; every organization consists of multiple unique cultures, and there are no right or wrong approaches to transformation.
No one has the perfect recipe for the ideal DevSecOps culture, but more than a century of consulting has taught us a few best practices for getting started. Step one: Develop your rallying cry for DevSecOps transformation.
Consider hosting a cross-functional retrospective to develop a common understanding of the challenges in current delivery processes. Is there an ingrained 鈥渦s vs. them鈥 mentality across your development and operations teams? Do your developers respect the value of sysadmins? It鈥檚 important to understand the problems you鈥檙e trying to solve and the experiences and beliefs that have driven your current culture when developing your DevSecOps vision.
The found that the characteristics of transformational leadership鈥攙ision, inspirational communication, intellectual stimulation, supportive leadership, and personal recognition鈥攁re highly correlated with strong IT performance. These characteristics set the tone for the organization and reinforce high-trust cultural norms.听
If you鈥檙e responsible for leading a DevSecOps transformation, consider a public pledge to serve as the chief culturist. Read everything you can about DevSecOps, go to conferences, and build relationships with other leaders on the journey to modern software delivery.
Once you have a chief culturist and a resounding DevSecOps rallying cry, the next step is to assess your DevSecOps maturity level. Our Enterprise DevOps Playbook includes a maturity questionnaire with a series of questions related to seven core DevOps practices.
鈥淵ou must understand where you are in the spectrum, and more importantly, what you want to get out of each practice area to drive DevSecOps adoption.鈥
- Jimmy Pham, Principal
Beyond these practice areas, it鈥檚 also important to determine which stakeholders will be affected by the DevSecOps implementation, and how. Clearly defining the changing policies and processes and gaining buy-in from stakeholders significantly reduces the quality and security risks of DevSecOps implementations.听
If you鈥檝e come this far, you likely have an idea of the budding change leaders within your organization. Now鈥檚 the time to identify and mobilize these influencers across functions and teams. Consider creating a community of practice or guild to assemble and empower change agents, and provide resources for training and experimentation. At 无忧传媒, we provide our people with subscriptions to Udemy for on-demand training and host crowdsourcing challenges to encourage entrepreneurship. These leaders should espouse the principles of DevSecOps and help advocate and champion the transition.听
In addition to IT roadmaps, we recommend designing journey maps to capture the movements that matter for your stakeholders. The journeys should include planned touchpoints to engage, train, and support each audience, including insights into what people will think or feel during each interaction.
At the individual level, these touchpoints should focus on foundational capabilities and good habits. If you roll in a dynamic continuous integration/continuous delivery pipeline that can deploy multiple times a day but you don鈥檛 have proper software configuration management, you鈥檙e basically deploying garbage faster. Defining, recognizing, and rewarding good habits such as code coverage and continuous integration are fundamental to a high-performing DevSecOps culture.
Organizations fall into the DevSecOps technology trap because they expend all their resources on the toolchain and assume that the culture and foundational practices will follow. But real world DevSecOps failures show that investment in a clear vision, defined processes, and empowered people are critical for successful transformation.
Tackling the wicked problem with DevSecOps really comes down to stepping back and asking: what are we trying to do here, who do we need to get it done, and what is the best way to do it?听