In a recent conversation with Francis Rose, Bryon Kroger of Rise8 highlighted critical insights into why and how organizations, particularly within the government and defense sectors, should adopt DevSecOps practices. This blog delves deeper into these insights, outlining the strategic imperatives and practical steps for achieving success in a DevSecOps environment.
The Strategic Imperative for DevSecOps
Marc Andreessen's proclamation that "software is eating the world" has profound implications for all sectors, including government and defense. Kroger emphasizes that effective use of software can enable smaller entities to disrupt larger, more established competitors. This disruption is vital in a battlefield context, where agility and innovation can be the difference between success and failure. Similarly, in delivering critical services to citizens, the government's ability to leverage software effectively can determine public trust and satisfaction.
The Role of DevSecOps
Government services, though non-profit, are akin to businesses in that they must deliver excellent customer experiences to maintain trust and efficacy. Kroger asserts that DevSecOps is central to achieving this. The key lies in creating a tight feedback loop with customers—delivering software, measuring its impact, and iterating quickly based on feedback. This continuous improvement cycle is foundational to DevSecOps and is essential for enhancing customer experience.
Overcoming Common Obstacles
Alignment vs. Continuous Delivery
A common pitfall for organizations adopting DevSecOps is prioritizing alignment over continuous delivery. Referencing the "Avoiding the Alignment Trap in IT" paper, Kroger notes that organizations often get bogged down in trying to align on strategy before they have the capability to deliver and test their assumptions. Instead, he recommends focusing on achieving continuous delivery first. This approach allows teams to test and iterate in real-time, providing a practical basis for alignment based on actual user feedback.
Platform as a Service (PaaS)
For government agencies, achieving DevSecOps outcomes necessitates a robust platform as a service (PaaS) that incorporates compliance and other regulatory requirements. Kroger points out that such platforms should integrate guidelines, testing procedures, failover mechanisms, and records management, allowing teams to focus on delivering capabilities rather than getting bogged down in compliance issues.
Culture Change: The Linchpin of Success
Measurable Outcomes
The ultimate measure of a successful DevSecOps culture is the delivery of effective customer experiences. Kroger insists that if the customer experience is not improving, the culture has not yet been adequately transformed.
Practical Training Over Theoretical Instruction
Drawing an analogy from the automotive industry, Kroger recounts the transformation of GM’s worst-performing plant through a partnership with Toyota. Instead of relying on theoretical training, Toyota brought GM employees to Japan to work directly within their production system. This hands-on experience in a high-functioning environment was key to changing values, attitudes, and ultimately, the culture. Similarly, in DevSecOps, Kroger advocates for practical, paired work environments over conventional training methods to foster real cultural change.
Implementing DevSecOps: Practical Steps
- Establish Continuous Delivery: Focus on delivering small, incremental changes to production environments to establish a robust feedback loop.
- Build a Strong PaaS: Develop a platform that embeds compliance and regulatory requirements, enabling teams to focus on delivering user-centric capabilities.
- Promote Practical Learning: Emulate the Toyota model by providing hands-on, paired experiences rather than relying solely on theoretical training.
Conclusion
Succeeding in DevSecOps, particularly within the government and defense sectors, requires a strategic focus on continuous delivery, a robust compliance-integrated platform, and a hands-on approach to cultural transformation. By following these principles, organizations can enhance their agility, innovate effectively, and deliver superior customer experiences.
