Smart technologies are changing today’s Federal IT landscape by advancing modernization, but with new technology comes new risks. From emerging threat vectors to new entry points for malicious attacks, balancing innovation with security remains an ongoing challenge for Federal agencies.
At the recent Government Acquisitions event FedFocus: Smart Technologies Accelerating Mission, panelists gave the inside track on how to integrate security into the implementation of new technology with a DevSecOps strategy. Panelists included:
- Bill Aubin, Vice President, Federal Exabeam
- Cpt. Craig Hodge, Deputy Chief Technology Officer. U.S. Immigration and Customs Enforcement, Department of Homeland Security
- Darryl Peek, Director of Digital, Innovation and Solutions, Department of Homeland Security.
Before diving into best practices, the panel discussed the significance of DevSecOps in their organizations. According to Peek, DevSecOps is about achieving and identifying outcomes. “It is about being able to put yourself in the mindset of an end user,” Peek said. “That is a mindset of faster delivery, better implementation and more realistic outcomes.”
Culture challenges of implementation
Cpt. Hodge stressed that the internal changes surrounding DevSecOps create some of the biggest challenges for agencies. “The government doesn’t do very much developing, but we do provide oversight and security. We need to adapt our culture to provide that support,” Cpt. Hodge said. “Sometimes the fear of the unknown gets in the way. It’s not a technology problem, it’s almost always a people problem.”
The panel shared best practices for changing the perspective of organization employees that may be wary of the DevSecOps approach. “We started by educating about agile development, what it entails and its requirements,” Cpt. Hodge said. “The key is to have people understand that we need to deliver faster through automation.”
Peek reinforced Hodge’s advice by sharing his best practices for agile education. “We started the agile training pilots so we can transform the way we look at delivery.” After facilitating the discussion, Peek noticed more people within the agency were taking an agile approach. “More people were starting to show a collaborative effort to speak the same language. We leveraged the agile approach to increase the flow of ideas and requirements so we can continuously receive feedback from customers.”
Overall, the panel advised that organizations invest in ways to ensure a smooth cultural transition to DevSecOps. “Some people say pull the Band-Aid off, but cultural change is a process. Culture eats strategy any day,” Cpt Hodge insisted.
Aubin referenced his experience in the commercial industry to speak about the communication challenge between vendors and government agencies. “A lot of agencies depend on vendors to develop DevSecOps,” Aubin said. “But the companies that create technologies build for the commercial space, not the U.S. government. The differences in technology requirements can lead to a lot of backpedaling during project initiation.”
Cpt. Hodge noted that the poor communication goes beyond a difference in initial priorities. “We’ve found that some people in government don’t want to interact with contractors,” Cpt. Hodge said. “It is critical that the product owner and mission area participate from beginning to end. You cannot just hand off a list of requirements to vendors and then be hands off.”
Poor communication between developers, project managers and vendors can result in poorly executed projects. “From a vendor perspective, we beg for program managers and project owners to be a part of the process,” Aubin said. “We receive complaints because the product owner, procurement officer and customer never talk. So when the product is delivered, they end up unsatisfied.”
Peek agreed that there is strength in proper communication between all parties. “It is the responsibility of government to know what that outcome will be ahead of time so they can communicate with the vendors,” Peek insisted. “A lot of the time, agencies don’t have a strong portfolio approach so we fail to be of better guidance to vendors. Keeping track of a strong portfolio is critical.”
A lot of organizations are still in the early phases of implementing a DevSecOps approach, so the panel shared best practices for setting up a successful DevSecOps environment. Peek stressed the importance of making DevSecOps implementation a collaborative effort.
“Something that helped the adoption of DevSecOps was to increase collaboration to create an environment of sharing,” Peek said. “All teams are now centralizing their thoughts because they know that without collaboration we would miss out on significant opportunity within the team. It helped with the overall adoption of DevSecOps as well as the cultural shift.
Peek stated that collaboration during DevSecOps implementation is as important for an individual as it is for the organization as a whole. “People need to continuously be a student,” Peek stated. ” People need to understand that they may not know certain things and that they need to have conversations that are difficult. If someone says your approach is wrong, you’re not failing it just means you should be learning.”