The founders of DevOps envisioned a multidisciplinary approach grounded in communication, domain understanding, and passion for the underlying business. These are human characteristics that cannot be automated—they are qualities cultivated through a strategic vision, transformational leadership, and employee empowerment. The challenge is that culture change is a wicked problem; every organization consists of multiple unique cultures, and there are no right or wrong approaches to transformation.
No one has the perfect recipe for the ideal DevSecOps culture, but a century of consulting has taught us a few best practices for getting started. Step one: Develop your rallying cry for DevSecOps transformation.
Consider hosting a cross-functional retrospective to develop a common understanding of the challenges in current delivery processes. Is there an ingrained “us vs. them” mentality across your development and operations teams? Do your developers respect the value of sysadmins? It’s important to understand the problems you’re trying to solve and the experiences and beliefs that have driven your current culture when developing your DevSecOps vision.
The 2017 State of DevOps Report found that the characteristics of transformational leadership—vision, inspirational communication, intellectual stimulation, supportive leadership, and personal recognition—are highly correlated with strong IT performance. These characteristics set the tone for the organization and reinforce high-trust cultural norms.
If you’re responsible for leading a DevSecOps transformation, consider a public pledge to serve as the chief culturist. Read everything you can about DevSecOps, go to conferences, and build relationships with other leaders on the journey to modern software delivery.
Once you have a chief culturist and a resounding DevSecOps rallying cry, the next step is to assess your DevSecOps maturity level. Our Enterprise DevOps Playbook includes a maturity questionnaire with a series of questions related to seven core DevOps practices.
“You must understand where you are in the spectrum, and more importantly, what you want to get out of each practice area to drive DevSecOps adoption.”
Beyond these practice areas, it’s also important to determine which stakeholders will be affected by the DevSecOps implementation, and how. Clearly defining the changing policies and processes and gaining buy-in from stakeholders significantly reduces the quality and security risks of DevSecOps implementations.
If you’ve come this far, you likely have an idea of the budding change leaders within your organization. Now’s the time to identify and mobilize these influencers across functions and teams. Consider creating a community of practice or guild to assemble and empower change agents, and provide resources for training and experimentation. At Booz Allen, we provide our people with subscriptions to Udemy for on-demand training and host crowdsourcing challenges to encourage entrepreneurship. These leaders should espouse the principles of DevSecOps and help advocate and champion the transition.
In addition to IT roadmaps, we recommend designing journey maps to capture the movements that matter for your stakeholders. The journeys should include planned touchpoints to engage, train, and support each audience, including insights into what people will think or feel during each interaction.
At the individual level, these touchpoints should focus on foundational capabilities and good habits. If you roll in a dynamic continuous integration/continuous delivery pipeline that can deploy multiple times a day but you don’t have proper software configuration management, you’re basically deploying garbage faster. Defining, recognizing, and rewarding good habits such as code coverage and continuous integration are fundamental to a high-performing DevSecOps culture.
Organizations fall into the DevSecOps technology trap because they expend all their resources on the toolchain and assume that the culture and foundational practices will follow. But real world DevSecOps failures show that investment in a clear vision, defined processes, and empowered people are critical for successful transformation.
Tackling the wicked problem with DevSecOps really comes down to stepping back and asking: what are we trying to do here, who do we need to get it done, and what is the best way to do it?