Mindset is key to transforming your agency to a DevSecOps culture. As your agency moves to cloud-native software development, you need to foster a culture that supports changes in tools and processes to ensure a successful transformation.
My goal is not to capture a recipe for success, but rather to identify the framework that can determine DevSecOps readiness. In my last post, I discussed the mindsets around 1.) collaboration, 2.) listening and 3.) reusing components. Here are three additional mindsets that support strong DevSecOps:
4. You Break It, You Fix it
This is something every parent has said a lot in their life, but this also applies to a good culture. “You break it, you fix it!” is super easy to bark at people along with my personal favorite, “it works on my machine!” Neither comment does much to solve the problem. The mindset behind it is that security isn’t simply the responsibility of a few team members, but of everyone, at each step in the software lifecycle. This mindset may also manifest itself as better cybersecurity hygiene, greater personal responsibility and autonomy.
We need to make sure your tooling functions in a way that provides the developer with all of the proper information they need to address changes needed to their code, plus why those changes need to be made. Also, let’s make sure the developer doesn’t have to wait around all day for feedback. If you can automate feedback, and communicate it back to the developer, security engineer or ops person after every commit, it helps empower your teams, rather than just having another tool yell at them with another notification on a late afternoon.
5. Innovation Begins with Leaders
A culture that values innovation seeks solutions for smarter ways to work, and along with that are tools that can accelerate collaboration, communication and transparency. It starts at the top with the leaders in charge of a specific program.
Developers can often be empowered to find solutions to specific problems that need addressing if they know their leadership is behind them. This can include the common mindset of finding quick and easy wins even if it means doing things unlike they have been done before. “This is how we’ve always done it” and “This is how we’ve done it before” are not phrases we like to hear as developers, and frankly it quickly kills the curiosity to explore new solutions for developers.
Leaders should encourage new ways to solve problems and actually pay special attention to the ones that they have never heard about before.
6. Authenticity Everywhere
It’s important to note that an effective culture must be authentic. It takes thoughtfulness, time and effort to develop or change culture. Don’t be a bulldozer. Leaders should evaluate their team, solicit feedback, actively listen and learn how to augment that team with proper resources (tools, engineers and training) in order to help them achieve their goals.
Additionally, leaders should spend time to know the problems, do the training and engage with your teams. You need to become intimately familiar with their problems to better help and lead your organization.
Conversely, when communicating problems to leadership there shouldn’t be any sugar-coating. Be authentic when communicating with leadership and your team members to identify issues and always bring a potential solution to the table (if you have the energy to identify problems). Also, if there’s an issue, don’t wait until scrum in the morning to bring it up.
Culture is vital to DevSecOps yet it takes time and effort to make changes that last. Be patient with the process – it can be transformative.
Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected] And to read more from our summer/fall 2021 Cohort, here is a full list of every Featured Contributor during this cohort and a link to their stories.
Hayden Smith is a senior engineer with Anchore, a software container security company. Currently, Smith leads developer projects across the Defense Department (DoD) and numerous federal agencies to help government organizations adopt DevSecOps best practices. His work includes building and automating Platform One, a collection of hardened and approved containers for use across agencies.
Smith’s dedication to advancing safe cloud-native development practices has been able to guide, empower, equip and accelerate DoD programs through their DevSecOps journeys. Prior to joining Anchore, Smith was a DevOps and infosecurity technologist with Booz Allen Hamilton, where he worked extensively on FedRAMP compliance. You can connect with Anchore on Twitter and LinkedIn.