Gaining stakeholder buy-in for DevSecOps comes with some upfront work. You don’t want to present to your department’s leadership, much less your C-Suite, to talk about DevSecOps unless you have an accurate picture of where your development teams are currently and where they need to go in the future.
Here are three tips for preparing to get stakeholder buy-in for DevSecOps:
1. Analyze your Development Process Maturity
Whether DevSecOps is just the next step in your DevOps journey or you’re making your initial foray into DevSecOps straight from a waterfall SDLC, a critical step in the first phase is to analyze the maturity of your software development process. Your analysis should include:
- Document any current state processes
- Gather any reporting data about your current development processes
- Interview key developers about what’s working and not currently working in your development processes
- Interview key security team members about what’s working well and what’s not working in their processes and procedures that support your applications in development and production
Before presenting this information to your stakeholders, distill it down into the key points in a format that’ll resonate with your stakeholders. For example, if you work in a data-driven organization, then let the numbers tell your story. Non-technical stakeholders may also need a quick DevOps to DevSecOps education that hones in on how DevSecOps benefits their piece of the business.
2. Define DevSecOps for your Organization
Software vendor marketing and the OSS community each put their spin on the definition of DevSecOps. Therefore, as part of your outreach, it’s important to define DevSecOps for your organization, including:
- What DevSecOps means to your organization
- The expected outcomes after moving to DevSecOps
- The tools and processes your organization is putting into place to ensure employee success
Spare your teams from any misunderstandings and document your DevSecOps definition. Post that definition in a place that’s accessible to all your team members and stakeholders. It’s not about creating a project charter for your DevOps to DevSecOps transformation, but defining your true north.
3. Plan for a DevSecOps Culture
Like DevOps, you can’t buy DevSecOps. Your managers and key technology team members need to work together to foster DevSecOps cultural philosophies that take your DevOps foundation to DevSecOps transformation.
Culture can be a squishy word to some stakeholders. It’s important to couch DevSecOps culture in business terms with an eye for how it benefits the organization. A simple way to do this is to create a DevSecOps roadmap with milestones for each major transformation point, including:
Continuous Feedback and Interaction
Cross-functional DevSecOps teams may collaborate remotely, which can create challenges with continuous feedback. It’s not about a manager delivering feedback on the DevSecOps team performance. Instead, it’s about enabling teams to collaborate more effectively. ChatOps tools such as Slack, Microsoft Teams, and MatterMost can now replace email for DevSecOps teams. As technology such as artificial intelligence (AI) improves, you can expect to see more automation through chatbots.
The shift to cloud-native applications is driving the adoption of container-based delivery models. DevSecOps plays a critical role in the move to container-based architectures, which can be a cultural change in and unto itself for DevOps teams. A proper and robust implementation of containers changes developer and operations cultures because it changes the development model of how architects design solutions, programmers create code, and how operations teams maintain production applications.
Like DevOps, DevSecOps is no place for micromanagers at any level of your organization. A standard part of DevSecOps culture is enabling your teams to choose their own tools and create their processes based on the way they work. DevSecOps also promotes distributed decision models to support greater innovation and delivery velocity.
DevSecOps extensively embeds automation for security checks and remediation workflows directly into DevOps processes and toolchains. An automation strategy that extends to security is a sign of a healthy DevSecOps culture.
DevSecOps Training for Developers
Another step to security becoming part of everyone’s job is to provide security training for your developers. Training could take the form of in-house developer training in casual formats such as Lunch and Learns or more formal training classes conducted by your organization’s training department. Another option is to send your developers to a third-party training provider to get the requisite security training. Depending on your security ambitions (and budget), there is always the option to send your DevOps team members to get a vendor certification such as the DevSecOps Foundation certification from the DevOps Institute the Certified DevSecOps Professional (CDP) from practical-devsecops.com.
Preparing your case to advance your DevOps journey with data, a current state picture of your development processes, and a plan to transform your development team culture enables you to meet your stakeholders with the facts and strategy they require to make a decision to grant budget and staffing to the effort.