Corporate culture is a game. It is a team game. It is a game with winners and losers, with big payouts or big headaches. Your team can have superstars, it can have inexperienced players, it can have big egos or it can have a collaborative spirit. The team you put together can carry you to success by delivering a project that meets your expectations of quality on time, or it can get stuck along the way and fall short of expectations. In the end, it is all about how well everyone on the team plays together with a single goal and purpose.
I spent almost 20 years building technology for financial services organizations, working with teams of different sizes that were able to achieve varying levels of success. Some teams were small but had all the necessary skills to design, develop, test and manage their applications once in production. Others were larger and had specialized groups that focused on different areas of the stack, with architects, developers, business analysts, each of whom interacted with separate quality assurance (QA) and support teams.
I have seen successful companies recognize the benefits of a DevOps culture, understanding that the unnecessary gap between engineering and operations can be a hurdle to better productivity, thus working hard to break down the wall between development, QA and application support teams. They were brought together with a common goal, aligning their incentives, which enabled them to succeed together. These teams got smaller and more efficient. They had all the skills to build, test and support their products. They adopted agile frameworks and got better with every sprint. Their members collaborated daily and helped each other along the way. They automated and orchestrated to make their lives easier, worked cohesively and realized all the benefits of the DevOps culture.
Others did not. They kept their groups separate, specialized, independent, often pointing fingers at each other in a struggle of power or simply avoiding responsibility for delays or failure. Their direct reporting lines were separated in the name of division of responsibility instead of being brought together to unify the vision and the execution across the board. There was management instead of leadership, and performance measurement by metrics that did not accurately reflect the state of the overall project. As a result, they often failed and their projects were late or released prematurely with significant bugs.
Traditional DevOps works well for many. It focuses on bringing together a multidisciplinary team and giving them the tools and frameworks to succeed. It strives to build faster and with higher quality. It doesn't, however, typically focus on building more secure applications, and that is no longer an option in today's world.
Cybersecurity is changing the game
The game is now changing. Cybersecurity is a necessity and becoming in many cases an integral part of a company’s culture. It is a requirement, an expectation and a duty to clients, stakeholders and partners. It is a piece of the corporate performance puzzle that has become just as important as innovation and operational excellence. However, security teams are still viewed as separate entities, responsible for audits and controls. They are not usually part of the core team and they are not embraced as an enabler to building better products, faster delivery and sustained innovation. They are viewed as a team reactive to incidents that formulates controls, manually scans code and applications, and produces reports. They are perceived to lack empathy for the development team’s goal to improve the delivery pipeline because their focus is on application security alone. However, building feature-rich, secure products quickly should not be mutually exclusive as they are all good goals for the team. In fact, everyone in the organization should be empowered to recognize that security is part of their responsibility.
The four pillars of DevOps culture
In product and software development, security should be the fourth pillar of the DevOps culture, adjacent to development, QA and operations, and part of DevSecOps. Development emphasis should be on a collaborative approach, common goals and having a single cross-functional team that yields better results than multiple teams working individually with different goals. For example, developers and engineers should be able to scan code as soon as it is committed to a code repository, check for vulnerabilities from open source or third party libraries used, scan build artifacts as soon as the build is complete and scan the entire application stacks prior to releasing them to production. They should also be able to continue to check for vulnerabilities on a regular basis to detect any issues introduced by manual configuration changes outside the normal controls. They should also be able to detect any newly discovered vulnerabilities that may not have been known during the last scan. This approach will allow developers and engineers to fix issues as soon as they are introduced, fixing problems quickly and efficiently.
Some companies will embrace this approach and accelerate their ability to deliver more secure applications and platforms at the speed of DevOps by enabling and empowering their team with the tools they need. Others will continue to be reactive and treat security as a hurdle or simply checking a box on an audit report, allowing the gap between their teams to undermine their success. As a result, some teams will play the game well, and others won’t.
DevOps has transformed how we deliver software and allowed us to leverage automation and orchestration to speed up the delivery, testing and management of our applications. The same principles can allow us to bring security in the mix. DevSecOps as a movement will take time, but will help deliver better and more secure software solutions. The combination of new technologies with a cultural shift toward embracing new advancements will eventually make DevSecOps the common thread in every security approach in the near future. So the choice is yours. You can mold your own culture to embrace this concept and lead the team to a better place or be content with doing things the old way.
How will you help your team win the game?
Andrei Bezdedeanu, Director of Engineering at Cybric
Image Credit: Monkey Business Images / Shutterstock