My previous articles in this series explored ways to create a DevSecOps culture and get executive buy-in for the DevSecOps transformation. The final step in crafting a DevSecOps culture is to provide the right level of support for tools and people to ease your projects into a DevSecOps model incrementally.
1. Provide support for DevSecOps tools
DevSecOps tools must work for developers. Developers should never work for DevSecOps tools. When you bring security responsibilities and tools into the developer role, you must equip your developers for success.
Even if you have developers clamoring for the latest DevSecOps tools, it’s best to take a systematic approach to support:
- Onboard and secure your DevSecOps tools using the same policies and standards as your other on-premises, software-as-a-service (SaaS), and cloud applications.
- Offer your developers training on the new DevSecOps tools, whether you hold it internally or go to an external training provider.
- Look for ways to add just-in-time support to your DevSecOps toolchain through short videos or job aids.
Shadow DevOps is when a development team implements a tool not approved by their IT department. The same phenomenon can apply to DevSecOps tools as well.
2. Treat collaboration as both technology and culture
Moving to DevSecOps amplifies the need for collaboration among your DevOps and security teams and your stakeholders. That requires you to establish the culture and put the technology in place to help your people collaborate effectively.
Collaboration is more than rolling out Slack, Rocket.chat, or Mattermost to your people. Tools and platforms are only part of the DevSecOps equation. With collaboration technology, you want to focus on:
- Platform access security using single sign-on (SSO).
- Platform access through a web browser and mobile app for team members’ convenience.
- Application programming interfaces (APIs) that are integration-friendly with your DevOps toolchain and other backend tools to support alerting.
Focus on implementing, operating, and maintaining a robust platform that your teams can trust to support instantaneous communication between departments and each other.
Never forget about collaboration as a cultural element. Work with your teams to make collaboration deliberate and bake it into your processes across the delivery lifecycle. Transparency and knowledge sharing become part of everybody’s job with reinforcement and coaching from management and team leads. Leaders need to set the standard for collaboration by interacting with team members.
3. Create shared goals and KPIs
When you work in silos—a common practice with security and DevOps teams—your teams may operate under conflicting goals and key performance indicators (KPIs). That’s right, some DevOps and security teams might cancel each other’s efforts for nothing more personal than different departmental objectives.
Here are some tips for getting your DevOps and security teams to work together with shared goals:
- Bring your DevOps and security teams together at the same table when developing shared goals. Treat them as one team focused on the security of your software. Involve the proper upper management in goal setting to help settle group conflicts.
- Centralize KPI reporting on a dashboard that’s accessible by every team member and stakeholder involved in DevSecOps.
- Conduct goal-setting meetings with representatives from your DevOps and security teams sitting at the same table.
For bonus points, offer your managers and stakeholders the training and the tools to deflect questions about KPIs and shared goals from your DevOps teams to a dashboard or other automated reporting format accessible by your management team.
4. Promote an innovative workforce
There’s a lesson to learn from the US Department of Defense (DoD) and DevSecOps culture. As elements of the DoD implement DevSecOps to speed the delivery of mission-critical software to personnel around the globe, they are using it as an opportunity to promote an innovative workforce.
It’s no longer business as usual for the DoD. The agency faces multiple challenges worldwide and at home, whether providing support to pandemic relief efforts in the United States or supporting troops in hotspots around the globe.
According to Federal Computer Week, moving to DevSecOps enables the DoD to empower its workforce by encouraging teams to test, fail, adapt, and improve. It’s not to say that teams should always be “failing,” but they shouldn’t be afraid to test, fail, adapt, and improve.
When you move your organization to DevSecOps, you can also set the stage for an innovative workforce. You can use the collaboration and communication advances that DevSecOps brings to empower your development teams to experiment with new technologies such as serverless computing that can benefit your current and future clients. Federal agency development teams—now running on shorter, more secure development cycles—have room to create proofs of concept that you can fund through small-budget statements of work (SOW) or other transactional authorities (OTAs).
5. Prepare other business units for DevSecOps
The transformation to DevSecOps doesn’t just touch your developers, operations, and security teams. It can impact other departments and business units as well. Taking the extra steps to bring your business units onboard with DevSecOps helps improve collaboration and communications with everybody
Here are some suggestions about how to prepare other business units to join your DevSecOps culture:
- Internal auditors: Your internal and external auditors benefit from granular reporting about the security of your software builds. Start by providing them access to your toolchain reporting (if they don’t have it). The next step is to give them access to your DevSecOps team’s collaboration channels, if necessary.
- Finance: As part of your DevSecOps transformation, educate the finance staff who support your development teams on anything they need to understand about your DevSecOps tools, especially if you have subscription-based ones. Also educate your finance team about the consumption-based pricing of any cloud-native services. Finally, don’t forget to encourage collaboration between your finance and DevSecOps teams to analyze the impact of containers on your monthly cloud spending.
- Legal: Your legal team may also play a part in a DevOps-to-DevSecOps transformation by collaborating with your developers on potential proprietary or open source licensing concerns.
6. Establish a DevSecOps Center of Excellence
DevSecOps adoption may vary across your business units. Staffing and training may differ. There are benefits to establishing a DevSecOps Center of Excellence (CoE) that brings together a cross-functional team of experts from across your organization to improve DevSecOps adoption as the end goal.
Providing the right tools and support to the right team members is a key element in any DevSecOps transformation. The tools must make sense for the environment, integrate easily, and be useful. Use these tools to enable shared goals among traditionally disparate teams. Furthermore, consider how other teams, such as finance and legal, might also benefit from understanding the DevSecOps transformation.
This post previously appeared on Red Hat’s Enable Architect on August 30, 2022. The site ceased publication in April 2023.