Last week’s DevOps Connect event at RSA Conference offered up a ton of wisdom and real-world examples of the power of DevSecOps. With its best-ever attendance after several years and impressive participation levels, this year’s event stands as a good harbinger for the growing interest that the security community has in vesting itself in the DevOps phenomenon.
But there’s still a lot of work to do in helping security professionals shift their mindsets and fully understand what DevSecOps is all about. Questions from the audience offered evidence of some of the trepidation and misconceptions that still exist in the security community.
For example, after one of the first talks of the day, an audience member asked about a typical point of confusion for those new to DevOps—namely, the misunderstanding that the melding of disciplines and the requirement that DevOps team members flex their skills across traditional IT boundaries also means that everyone in IT must be renaissance men and women with a range of in-depth knowledge about all IT specialties.
“Not everyone can know .NET, not everyone can know Python, not everyone can know firewalls,” the audience member said. “I’ve been doing this a long time and it takes a lot to become an expert in any one of these categories. And yet I’m hearing, ‘Oh, everyone needs to know it all.’ They can’t, so how do you deal with that?”
This was a valuable question to revisit here, because the response from one particular speaker offers up an extremely important tenet that everyone in the DevSecOps world needs to keep in mind. The answer came from Paula Thrasher, a longtime DevOps evangelist in one of the hardest spaces to implement cutting edge IT processes: federal IT. As she explained, one of the biggest success criteria for a successful DevSecOps transformation is the ability to build fully engaged cross-functional teams. Individuals working within the DevOps are not meant to know everything. Rather, different specialists need to be paired up so the complete team has that full body of knowledge at its fingertips.
“It’s the fidelity of your collaboration within the cross-functional team that makes this successful,” explained Thrasher, who is director of digital services for General Dynamics, a large federal IT integrator.
For example, she pointed to one particular team she has seen in her work that is the epitome of a solid cross-functional team.
“My teams all have mascots, and so one of our teams is the Tigers. The best quote I’ve heard from a team about this topic came from a new employee who said, ‘If one Tiger knows it, they all know it,'” she said. “This is a team that has a crazy diverse background—there’s developers, there’s ops people, there’s a former networker on there—and it doesn’t require everyone on that team to know everything. They collaborate so well that if there’s a network vulnerability, the network guy knows it and tells everybody.”
This is the why Thrasher sees cross-functional teams that include security people as a big success criteria for DevSecOps.
“I usually say the first thing should be if your teams aren’t cross-functional, start with that. You don’t have to change anyone’s boss, you don’t have to change anything else about who you report to, but make sure your teams represent all of the skills you need to deliver,” she said.
Not only will the teams be able to deliver on all of the necessary skills when they’re working as a unit, there’s also an ancillary benefit: In the process, they’ll be training each other, and each team member will end up gaining a more diverse set of skills—and perhaps become renaissance men and women in the process.
“They might have been a graduate of a cyberprogram and they’re next to a graduate of a CIS-type program and they’re next to a math major and they’re next to a hardware engineer, and they’re all kind of new because they’re recent graduates, but they’re learning with each other and we’re going to train them with some more senior engineers that we self-select to be good mentors,” she said. “This is how you are giving people the skills to work with this next-generation of automation and technology, both in the security realm and the Ops realm and the Dev realm.”