To achieve successful cross-functional DevSecOps transformation, leaders need to figure out how to improve collaboration across different teams, says this expert.

Nowadays, the pressure to innovate and produce better code faster has never been more intense. An increasing number of Asia-Pacific (APAC) organizations choose DevSecOps to bring traditionally siloed developers, security and ops teams together—and they count on continuous integration and continuous deployment (CI/CD) to speed up their software innovation cycle times.

Organizations transitioning to CI/CD often witness dramatic cultural shifts on the engineering team. Last year, an IDC survey had found that internal culture and training issues remained the biggest obstacles to wholesale DevOps adoption in APAC. Many IT leaders have concurred, acknowledging that a key step in their transitions is understanding what barriers stand between different teams.

To achieve successful DevSecOps transformation, leaders need to figure out how to improve collaboration across different teams to unlock true agility to the development and deployment process.

DevSecOps is cross-functional collaboration

Collaboration is a core principle of DevOps but it is even more critical when bringing a third element—security—into the mix. Providing visibility into a united workflow among team members across functions will enable them to work together towards a common goal of managing security risk in their software. DevSecOps brings a special meaning to collaboration because of the shift in roles and responsibilities introduced by new security efforts. Shifting your security practices left will require a new perspective to truly get your DevSecOps practices off the ground.

In GitLab’s 2020 DevSecOps Survey, respondents had a plethora of strong reasons to do DevOps, including code quality, faster time to market, and happier developers. But if security is not part of the collaboration, the cross-functional efforts fall apart.

Leading by example

To begin, leaders from each functional team need to gain a mutual understanding of the other teams’ functions, roadblocks, and goals. Then they should discuss how security will be integrated into dev and ops—both how the lifecycle will flow, and how employees will be onboarded to any new processes. The results of that discussion should be shared across the entire organization to put everyone on the same page.

Organizational heads will need to set an example for their teams. Employees should understand the collaborative work that is being done at the top, and how their own work is part of that effort. Additional expectations should also be communicated. These, as outlined below, should foster a collaborative environment that requires communication and reliability across teams.

Cross-functional team goals

It is important to start with cross-functional team goals. These can be broad (like “deliver a secure and stable product at every release”), or specific (“do not permit any new critical application vulnerabilities to be introduced to production”). Regardless of what the goal is, it should be made clear that employees across all functions are working together to achieve the same thing—and the cross-functional team will be evaluated as a whole.

Peer teaching and peer learning

When security employees understand the function and goals of Dev and Ops, they will be able to give better guidance and instruction on how each role can produce secure work. On the other hand, when Dev and Ops understand the function and goals of security, they will find it more logical to incorporate new security practices into their day-to-day work. This way, employees will understand how their goals align with and benefit each other. Employees should be encouraged to help one another learn—and certainly should be encouraged to learn from each other with open minds.

Centralized information sharing

To enable this collaborative experience, information needs to be shared in a central location. Ideally, the entire project team has access to all the information they need, with a single source of truth. This minimizes context-switching and reduces the likelihood of information getting lost or missed by team members. Keeping change logs, test and scan results, code reviews and other metrics collocated means everyone knows where to find the information they need to get their job done efficiently and everyone is seeing the same thing.

Set your DevSecOps collaboration goals

What does it look like to have strong collaboration across your teams? Qualitative principles are slightly harder to quantify than things like vulnerabilities, but there are plenty of ways to build your team’s collaborative muscles and measure their strength:

  1. Project planning is a joint effort between Dev, Sec, and Ops. The focus is on setting policies that balance speed and risk then managing exceptions. Automation enforces the policies and reports exceptions, while metrics help the team improve the software factory process.
  2. Employees have access and actively contribute to a single datastore with reporting and visibility across the DevSecOps lifecycle. Development and security collaborate within the same interface.
  3. Vulnerability management, reporting, and remediation will cost less and happen more quickly than before you began your DevSecOps efforts.
  4. Project delays are rarely caused by lack of communication or information sharing.

The impact of the current pandemic has already initiated a changed mindset and focus on digital transformation at all levels of enterprise, government and industry. By enabling a successful mindset shift and transition to DevSecOps, organizations can bring speed, consistency and even happiness into their innovation efforts. It will change how teams experiment and innovate so they can adapt, transform and deliver value to their customers faster than ever.