Tips to scale your DevSecOps organization from Gene Kim and Guy Podjarny
November 2, 2020
0 mins readDuring SnykCon 2020, author and researcher Gene Kim sat down with Snyk co-founder and President Guy Podjarny and a small group of Snyk VIPs to talk about (Sec)DevOps—where we started, how far we’ve come, and strategies for getting the most value out of the practice.
The conversation spanned from philosophical questions to real-world implementations, and both Gene and Guy offered some valuable insights gleaned from their own experiences leading and studying top-performing companies.
Below are a few of the most interesting takeaways from the conversation.
We have a long way to go
Guy started out the conversation by asking whether DevOps is helping or hurting security. The consensus is that it’s helping, but perhaps more importantly, that DevOps is quite simply the reality for high-performing businesses today. So security teams and anyone with an interest in security needs to figure out how to make SecDevOps work.
They talked about how far we have come with DevOps adoption. Gene leaned on his extensive research on DevOps uptake to share that the industry is, at most, around 5% adoption across teams. So while DevOps is largely seen as the ideal and the way forward, we have a long way to go in terms of it becoming mainstream and commonplace.
They talked about how to conceptualize DevOps. Is it a movement? A title? Gene made a great point: In many ways, having DevOps in a job title is simply a way of matching supply with demand. So, while DevOps may be more of a practice than anything else, there’s no strong argument against using it to describe what a person does within an organization.
Much of the rest of the conversation was devoted to exploring how to spread DevOps best practices and facilitate adoption across all types of organizations. Below are some tips from the experts.
Tip: make DevOps and security easy
One recommendation that Guy and Gene both shared is the importance of making both DevOps and security as easy as possible to apply. Both should be integrated into all aspects of strategy and operations. This equips and empowers anyone to run with the ball. The goal should always be to reduce friction and require minimal effort to “do the right thing.”
One way to think about this is to shift the concept of “DevOps” a little and focus more on “platform” as a way of describing what those teams are doing. Platform or DevOps teams should be investing in building platforms that enable developers to build end-to-end applications as simply as possible.
As Gene put it, any hours spent by developers on platform-related work have a big opportunity cost. Developers are specialists who should remain focused on software engineering problems—not operations challenges.
Tip: show the business why they should care about DevOps
One participant in the conversation asked how to deal with a low-maturity DevOps situation. In other words, how do you approach DevOps transformation when there is no buy-in at the business level?
Gene recommended showing business leaders how DevOps directly impacts the bottom line and illustrating for them how their leadership around DevOps can improve the business. He also recommended explaining what happens when leadership abdicates this responsibility. You can also draw a parallel: For organizations who have made the switch from waterfall to Agile, it’s often clear what the value of this shift has been. When the time comes to make the transition to DevOps, pointing out the benefits from the Agile shift can be powerful.
Beyond this, Gene pointed out the necessity of DevOps and security for both short-term and long-term resilience. Whether we are talking about COVID in the very near-term or climate change now and in the future, there will inevitably be changes in global economic conditions that teams need to be able to respond to. SecDevOps is one important way to grease the wheels and enable resilience.
Finally, Gene recommended taking a look at the State of DevOps report to aid with benchmarking, improvement, and leadership inspiration. It’s hard to argue with 6 years of research and 31,000 pros.
Tip: balance freedom with chaos
One big challenge many DevOps teams face is how to give developers autonomy to choose the tools they prefer and work in a way that is efficient for them without spiraling into organizational chaos. The overall goal: Liberate the development team while also optimizing for productivity. Both Gene and Guy shared several helpful frameworks for this, inspired by companies who have taken creative approaches to this problem.
Approach 1: guardrails
One team used Github to build a list of tools and mark them as “recommended,” “unknown,” or “avoid.” Recommended tools were supported by the organization and the ideal choices. Unknown had not yet been evaluated. “Avoid” tools were those that the organization had determined were not sufficiently secure or didn’t fit well within existing workflows and processes for whatever reason.
Approach 2: no undifferentiated heavy lifting
Another large company took the approach of declaring that there should be “no undifferentiated heavy lifting.” In other words, if there is a process that takes place frequently and in a repeatable way across the organization, it should be done one way. They applied this thinking to their continuous integration workflows, and though it took multiple years to achieve this, they moved every engineering team to one CI system. Changes like this can be unpleasant at the start, but they are well worth it for the efficiency gains.
Approach 3: the paved road
A third large business decided to create what they refer to as a “paved road.” This means there is a shared definition of what “good” looks like when it comes to working within the organization. Technologies are selected specifically to correlate with this definition of good. In this way, the organization has built a paved road, and everyone who works there knows that is the safest and fastest way to get most places within the company. That said, if people want to go off the beaten path and bushwhack their way forward, they can do that. No one is told what to do. But the paved road has clear advantages, so most people choose it.
Parting words
Though we covered a lot of ground during this conversation, the above wisdom includes some of our favorite takeaways that can be applied to almost any organization. When it comes to balancing autonomy with chaos, the three approaches described above have a lot in common, but also offer different philosophies to demonstrate that there’s not one single right way to go about it.
As Guy put it, “Clearly there is efficiency from a central approach, but there’s a lack of agility. Aligning on whether things should be the same or different and what ‘good’ looks like is very helpful.”
Curious how Snyk can help you implement DevSecOps at your company? Book a demo today!
Developer loved. Security trusted.
Snyk's dev-first tooling provides integrated and automated security that meets your governance and compliance needs.