5 Steps Leaders Can Take to Modernize DevSecOps

Making security an integral part of DevOps has become a standard in the industry – at  least in theory and conversation. No one will argue about the importance of shifting security to the left. However, while a groundswell of engineers, developers, and designers are collaborating using DevSecOps tools and practices, fully realizing this shift and making it a part of the organizational culture will depend on leadership’s actions. To fully realize the crucial benefits of a DevSecOps framework, top leaders need to do more than talk the talk. They need to walk the walk through their policies, communications, and tool selections. Leaders can take concrete steps to modernize their DevSecOps and make this shift a part of their organization’s core identity.  The following steps will help leaders modernize their DevSecOps and be sure they are getting the most out of the latest approach to development.

1. Create Innovation Factories – Leaders will never see their teams reach their full potential unless given the time, tools, and space. Of course, people can learn on the job, but innovation factories provide them with the opportunity to try new processes and tools in a low risk, highly supported environment. Deliberate spaces for innovation allow staff to learn, collaborate, and deliver using the latest DevSecOps tools and practices. At the same time, the combined experience and insight in the Innovation Factory can help develop new best practices as well as showcase process and results as a model for other teams.
2. Promote Code Clean-Up Events aka Bug Bashes – Part of changing the culture is embedding the idea that high-quality, secure code is a critical part of the practice. In the world of short timelines and looming deadlines, this can be easy to forget. Whether it’s a day or a recurring time every release, events purposely dedicated to proactive code cleanup keep deadlines from getting in the way of best DevSecOps practices.  Bug bashes are also a fantastic opportunity for teams across the organization to come together with the common purpose of catching bugs, cutting regression time, and collaborating on QA.
3. Select an Automated Security Tool – Select a tool that integrates with the workflow, automates code scanning, and can be used stand alone or with additional security tools.   Tools that scan code as it is committed automates the shift left and moves it into real time. The value being it is far easier and cheaper to detect vulnerabilities and fix code earlier in the development lifecycle so that a more secure product can be delivered faster.
4. Remove Obstacles to Speed – Part of changing the culture is committing, as a leader, to giving the team everything they need to succeed. While DevSecOps pushes the focus on security, it also remains focused on time. Engineers, developers, designers, and other team members need to know that leaders understand the unnecessary stressors and are working to remove them. Keep the team happy by removing workflow disrupters that eat away at precious time. Offer tools that give developers the most visibility into pipelines and workflow. Ensure that everything is integrated and traceable and that people don’t need to move between multiple tools to get their work done. This will not only show them that they are being supported, but it will also save them time that can be invested in following best practices.
5. Shine the Spotlight – Highlight teams that modernized their DevSecOps practices and can share their learnings throughout the organization in stories that are relatable.  Showcasing internal teams sends the message of what’s natively possible and provides the opportunity to share how the team overcame resistance to change, worked through challenges with tools or processes, and what they deemed as successes in their journey.  Teams sharing and showing their journey helps reinforce community and brand as maturity evolves.

Cultural change takes time and continued commitment by leadership to reinforce policies, tool selection, and delivery expectations that align with DevSecOps.  Simply changing procedures and processes can create incremental improvement, but a culture shift is needed to take an organization to a fundamentally different place.