People make all the difference
A recent McKinsey Digital report identified that talent and culture issues pose the greatest challenge to technology transformation. As someone who lives and breathes Agile, I realized that DevSecOps is no different, and that if you want a successful change, you have to start by realizing that people are impossible to separate from that change. You can’t have an orchestra if the brass refuses to play, and a company works no different. Don’t make the mistake of over-emphasizing the technologies and tools without effectively communicating the impact that they’ll have on the organization overall. In any technology transformation, you cannot afford to ignore the human element.
Admittedly, convincing people to change can be a difficult, stubborn, and even painstaking process. Nido Qubein once said, “Change brings opportunity,” but changing habits and raising awareness across all levels of an organization has never been easy. Ask any leader, and they’ll tell you that forcing change is like trying to push a car: it’s much easier to just start the engine. Persuading and changing people’s attitudes is a challenge, and not everybody is going to go with the flow of progress. While this inevitably threatens the balance of the emerging structure, dealing with naysayers sternly and openly will foster an environment that lets everybody see that you are confident in this new direction. Motivation is key, and to that end you have to provide a healthy learning environment that offers people the time and space to adapt to the change and gain a full understanding of how important it is. Below we’ll go over some best practices you can use to make sure your people are more likely to embrace the change involved in building a sustainable blueprint for a successful DevSecOps transformation.
All the DevSecOps processes and technologies in the world won’t achieve the desired results if your culture is strained by reorganizations, burned-out employees, and change fatigue. Remember, your culture is a collective of sustained patterns of behavior supported by shared experiences, values, reward systems, and business routines. You must align your culture to your strategy, and how you go about this can reap huge potential benefits, improving communication, optimizing collaboration, and building more engaged teams to drive performance. Here are some actions you should take to achieve this:
Development, operations, and security teams often operate within their own distinct bubbles, only interacting and communicating during hand-offs or when there are problems with a product. You have got to challenge the way these teams work together and how they work with the whole business. By forging clear feedback loops, you can craft better, more informed decisions quicker and at lower levels. You need to assemble cross-functional teams made up of exceptional and influential people from all areas to serve as evangelists of this change, imbued with the power to make decisions and take action. Designated security advocates are great conduits for this role and embedding them into cross-functional Agile teams is a good way to break through these respective bubbles and employ shift-left principles. Ideally, these advocates are actively involved in the software delivery pipeline to ensure security concerns are addressed as early as possible in the development life cycle. They can also assist in the triage of security bugs or vulnerabilities and help foster a “security mindset” by highlighting the importance of security across all areas of the business.
Bill Gates once said, “The moment you stop learning is also the one in which you will stop leading.” A stagnant leadership will nearly always beget a stagnant workforce. Technology transformation, including DevSecOps, begs for a strong head of the house, and requires that you train not only your change agents, but your executives, managers, and leaders as well. This ensures that the vision is set and properly disseminated throughout the organization, the appropriate actions are taken to drive the change, and the path for implementing the change is clearly communicated to the people in the organization. Additionally, your training strategy must be grounded in your business goals, policies, and standards for software development, operations, and security. Learning methods and channels must be elastic and adaptable. It is imperative that existing staff and new hires get the appropriate training and tools they need to do their jobs. Doing so will foster good development, operations, and security staff. Nurturing this kind of environment will allow the delivery of greater innovation, repeatable processes, higher quality, and more rapid release of secure software.