Organizations that successfully adopt DevOps position themselves well to mature to DevSecOps. For them, including the security group into a cross-functional team in order to build more secure systems is just as much part of the company culture as building high-quality, supportable software.
It’s important to remember that DevOps and DevSecOps are not job titles or roles. They are significant shifts in thinking and processes. When companies don’t embrace them, they affect their ability to fuel innovation. They fall behind. According to Gartner, 90 percent of organizations attempting to use DevOps without specifically addressing their cultural foundations will eventually fail to deliver.
Warning Signs that a DevOps Initiative Isn’t on Track
DevOps is first and foremost a cultural transformation within an organization. It is aimed at breaking down the barriers between development, support and QA in order to create an environment based on collaboration and shared accountability. Difficulty in communication and collaboration, finger pointing and a lack of enthusiasm for the common goals of the team are generally early warning signs that the DevOps initiative is not going well.
Like most cultural transformations, DevOps needs to start at the top of the organization. The C-suite must understand and promote the concept, identify and empower champions within their organization and lead by example. When their actions and messages go against basic DevOps concepts, when leadership fails to actively support them, these initiatives almost always fail.
The Definition of Insanity
To course correct a DevOps effort, the biggest mistake organizations make is trying to continue down the same path and think that there will be a different outcome. Positive change is often needed to realign a failing program, such as a change in champions, team structure or overall approach. If the organization is truly committed to modernizing development, it has to reset expectations, re-affirm support and often find new champions to lead the way to get this initiative back on track.
DevOps to DevSecOps
Modernizing your development processes will enable your organization to more easily and seamlessly automate and embed security into the development process, for true DevSecOps. And doing so—continuously—is critical to increasing and delivering on innovation velocity. In fact, Gartner predicts that DevSecOps will be embedded into 80 percent of rapid development teams by 2021. The nature of Agile development and DevOps means deployment velocity is accelerating so fast that traditional (manual, periodic) approaches to security cannot scale. This lack of scale means higher risks or releasing vulnerabilities into production and higher costs of fixing existing vulnerabilities.
Managing risk and cost are important responsibilities of leadership teams in any enterprise today and creating an environment where DevOps, followed by DevSecOps, can be embraced is only the beginning of an important transformational journey. Read how The Dana Foundation embedded security into its software development lifecycle (SDLC) to accelerate DevOps adoption.