IT organizations are increasingly adopting DevSecOps tools to complement agile development practices, accelerate delivery, and improve product quality and security via automation. However, as businesses continue to invest heavily in DevSecOps, they often discover that the tools alone do not offer the returns they were hoping for. In most cases, this is because one vital component was not factored in as the organization shifted: culture. DevSecOps is about much more than just the tools our organizations choose to adopt; it’s about radically shifting the way teams work together. Indeed, the foundation of a thriving DevSecOps practice is dependent on a cultural transformation where teams not only learn about new tools and methods of collaboration, but value them as effective means of solving problems and achieving a shared mission. While the task may be daunting, building a DevSecOps culture is critical to enabling businesses to maximize return on investment (ROI) and ensure a thriving DevSecOps practice.
What is culture?
Organizational culture encompasses the shared values, attitudes, expectations, and ways of interacting that determine how engineering teams solve problems and achieve common goals. Setting the tone for shared values and norms improves team performance and engagement by promoting a positive, productive work environment where individuals are empowered to contribute to team success. When adopting DevSecOps, organizations must focus on three main cultural elements:
Functional understanding is the most important single factor in driving adoption of a DevSecOps culture. Simply put, functional understanding means that everyone involved with the engineering process understands how DevSecOps affects them. This extends beyond developers, testers, and systems engineers to include other less technical roles such as business analysts, scrum masters, project managers (PMs), and technical writers, as the way they submit, receive, report, and analyze work changes in a DevSecOps-driven environment. When adopting new DevSecOps tools and processes, it is essential that all team members understand the change in expectations prior to implementation. Team members not only learn how to use these tools and processes, but also understand the value they provide in improving the way they work, both in their respective roles and as a team. By achieving a common functional understanding of DevSecOps tools and processes, team members feel more confident adopting them in their daily operations, thereby increasing the likelihood of successful DevSecOps outcomes.
Rapid collaboration is the fusion of tools and people to form a seamless, transparent development ecosystem. In other words, continuous integration/continuous delivery (CI/CD) tools like Jenkins and GitHub are configured to integrate with project tools (e.g., ChatOps, Jira) to automate communications and tasking across traditionally siloed teams. Team members performing procedural tasks such as committing code, running tests, reviewing code, or updating a user story can trigger automated communications to vested stakeholders. Examples of this rapid collaboration include:
- A developer commits code and creates a pull request that triggers an instant notification to all developers that the code is ready for review
- A scrum master creates a new user story in Jira to reflect a priority enhancement request and ChatOps tools, such as Slack, notify the developer of a new task
- Monitoring tools flag a production server nearing a critical state and alert the support team via ChatOps to take immediate action to prevent an outage
- A PM wants to check on the status of a user story and pulls up the ticket in Jira to see that GitHub and Jenkins integrations show the code was submitted, the build deployed, and all tests passed
By integrating these automated tool sets, organizations foster close collaboration and communication between teams, allowing individual team members to see what has been completed, understand what needs to be done next, and take initiative. Subsequently, this level of collaboration enables organizations to realize the benefits of DevSecOps sooner, including accelerated delivery timelines, increased productivity, and improved software quality.
Team empowerment refers to the concept that DevSecOps not only enables team members to take initiative, but also offers flexibility to determine which combination of tools, processes, and configurations works best for them. As no two DevSecOps implementations are alike, engineering teams are empowered to continually tailor their tools and find ways to automate procedural inefficiencies across development and business processes. While finding ways to automate engineering processes offers huge returns (e.g., CI/CD, automated testing, monitoring), automating communications, reporting, and project tracking can also cut down on time spent in meetings and reduce administrative overhead traditionally associated with systems development. By automating business processes, time that was once taken up by additional meetings can instead be put towards building the product, saving valuable time for both team and customer. A DevSecOps culture emphasizes the idea that teams learn and grow together, and empowering teams to adapt tools and processes to solve their unique problems and meet delivery goals enables your DevSecOps implementation to achieve target outcomes sooner and with greater reliability.
How cultural shifts make DevSecOps work
As any business grows and scales, the way it produces a product changes, even if the product itself remains the same. For example, a start-up company that makes toys might start by hand-making toy molds and hand-pouring the resin for them; as the company expands, however, it can realize economies of scale by automating aspects of the mixing and pouring process, investing in larger equipment, or potentially even switching to a new material that is easier to mechanize. Scaling up production of a less tangible product such as software is no different: at scale, developers need the proper tools to quickly deliver quality products. With those tools, though, come new processes: just as someone hired to hand-pour resin cannot be expected to know how to operate an automatic mixing machine overnight, engineering teams need to understand how new DevSecOps tools change the way they perform their jobs.
Before teams can begin using new tools, organizations must start with the training needed to understand how to use them. Communicate to the entire team that your enterprise will be shifting to a DevSecOps approach and be clear about both the changes that will be expected of team members and the ways in which these changes will enable them to do their jobs more easily, efficiently, and effectively. Some of the initial challenges stem from technical understanding: employing an industry standard branching strategy (e.g., GitFlow), for example, is a complex task, and some team members may face a considerable learning curve. Other challenges come from changes to the process: a fully manual engineering team may have waited for an in-person request to move to another stage of development, but high maturity DevSecOps teams rely on automated and integrated tools to signal when work is ready. Stakeholders also need to understand how DevSecOps changes the process: they may be familiar with development, deployment, and testing as three distinct phases, for example, but in DevSecOps, these activities occur in parallel.
As discussed above, DevSecOps involves integrating toolsets to seamlessly orchestrate communications and tasking across teams in an automated and transparent fashion. Over the course of training, it is crucial for teams to understand how each tool fits into the broader DevSecOps ecosystem — and when organizations integrate those tools to the greatest extent possible, that process is much easier. It can be overwhelming for team members to be introduced to a slew of new tools, all seemingly doing entirely separate tasks. By integrating those tools, organizations are able not only to simplify the technical aspects of development, but also to enable holistic training of the end-to-end DevSecOps process.
Facilitating these cultural changes does more than simply make your engineering team more comfortable with your DevSecOps implementation — it maximizes the value of that implementation, delivering measurable ROI. By promoting functional understanding, rapid collaboration, and team empowerment, organizations nurture a collaborative and more productive work dynamic, as team efforts become more transparent and less siloed. Rather than separate siloed teams of developers, testers, and administrators passing work between each other, a mature DevSecOps culture fosters a unified and collaborative team.