, ,

Moving From Tools to Cultural Changes With DevSecOps

“If it ain’t broke, don’t fix it” is a mentality that has stymied governments for decades — robbing agencies of the benefits that come from incrementally improving operations and adapting to change.

But with growing acceptance of approaches such as Agile and DevSecOps taking hold over the years, the business-as-usual mindset is gradually fading.

“The thing that folks are taking to heart is that these methodologies aren’t about tools but about cultural change,” said Kurt Steege, Chief Technology Officer at IT solutions provider ThunderCat Technology. “It’s about how you can take your mission to the next level and solve problems in a completely new way.”

For example, pre-COVID-19, consider that many government agencies saw mass telework as something farfetched and impossible to accommodate. Networks and infrastructure were not built to support a fully remote workforce, but when confronted with no other option, agencies had to find a solution.

Joining forces with partners such as Dell Technologies, ThunderCat takes a consultative approach with its government customers to ensure the best possible solution. “The key is understanding what risk is tolerable and what risk is not,” Steege said.

He shared three tips that agencies should keep in mind as they embrace incremental development using DevSecOps.

1. Prioritize the three-legged stool: people, processes and technology

Traditionally, silos have compartmentalized the work happening in the IT space.

“And when you start to bring development and security into that mix, there’s this tendency to finger point when issues arise, unless there’s a mindset shift,” Steege said. “Teams must work collaboratively to ensure all legs of the stool have equal focus, otherwise the stability is compromised.”

2. Embed security into everything you do

It’s not a coincidence that the “Sec” in DevSecOps is in the middle because it is critical to everything that agencies do, Steege said. In the past, agencies treated security as an add-on. “If you do that, you’re setting yourself up for a much longer time period to get things done,” he said.

The concept of DevSecOps incorporates security into every aspect of the process — from the initial work and throughout the deployment process. Integrating security throughout the entire lifecycle puts you in a better position to catch and remediate issues early, which leads to more secure and rapid deployments.

3. Measure success

“You need to be able to measure what is going on when dealing with more integrated teams,” Steege said. He highlighted an extensive annual report from research firm DORA, which details the importance of measuring success within the DevOps framework.

Metrics to consider are the time it takes to put the latest software updates into production, how often changes are actually implemented, the change failure rate, and how long it takes to restore services if there’s an issue.

“Although culturally it can be hard, bringing together development, operations and security into an integrated team, working together to achieve a common goal, can accomplish so much more than working in silos,” Steege said.

This article is an excerpt from GovLoop’s recent guide, “Agile for Everyone: How to Improve Everyday Work Processes.” Download the full guide here.

Leave a Comment

Leave a comment

Leave a Reply