DevSecOps looking for more robust leadership as it spreads beyond IT
March 6, 2020 9:16 am
4 min read
This content is provided by Atlassian.
DevSecOps has reached a tipping point in the federal community, according to a new Federal News Network survey. It’s been said for years that agile development is foremost about people and processes; it’s about changing culture first, and technology second. Feds in the IT field are starting to report that while there are still obstacles to overcome, the first step of culture change has been accomplished.
“We have been doing this for a while now,” said one respondent to the survey. “It takes time to change the culture from waterfall to DevSecOps. But the culture has now shifted.”
DevSecOps has nearly reached a full saturation point within IT fields, and is beginning to spread outward from there. Almost 70% of respondents who work in IT said their agency has successfully used the DevSecOps approach to software or application development.
IT workers overwhelmingly said speed to new capabilities and automation of redundant, time-consuming processes are the two main factors that decide which projects get the DevSecOps approach. About 75% of respondents listed these two factors.
And failure is becoming less taboo. While about 55% of respondents were still “very concerned” or “somewhat concerned” that projects or sprints would fail, others are embracing the learning potential of a “fail fast, fail often” approach.
“Failure is expected,” said one respondent. “Agile is about constant improvement. Without failure, there is nothing to improve on.”
And when projects do fail, respondents pointed to three major obstacles:
Agency culture as a whole.
Lack of collaboration at the agency.
Employee and contractor turnover, coupled with a failure to adequately train replacements, is one culprit.
“The agency needs a team specifically devoted to DevSecOps and continuous testing and development. Not sure we have the funding for this HR/skill need,” said one respondent.
IT workers said communication issues and failure to share information have also torpedoed projects and sprints in the past. “Large agencies find collaboration difficult,” said one respondent.
Others were more specific, saying federal employees outside the IT field, and especially at the department level, don’t fully understand the process yet.
“We continue to have extremely low success on deployment of software upgrades because tests fail obscure security requirements set at the Department level, requirements that are (understandably) ever-changing,” said one respondent. “I’m highly dissatisfied with the whole system and do not see a solution in sight.”
“IT has been taken to Department level unilaterally, and the people there neither know nor care what works or why things work the way they do,” said another respondent.
And the survey results bear that out. While DevSecOps is starting to trickle out of the IT field and into the rest of the federal government, it’s far from achieving the saturation level that is has within IT. Only 7.5% of respondents who don’t work in IT said they were familiar with the concept, and only 25% of those said their agencies were actually implementing it. Another 50% weren’t sure.
And, adoption of DevSecOps can be tied to an agency posture on innovation. Of the respondents who hadn’t heard of DevSecOps, a little more than half said their agency adopts new or innovative technology processes “some of the time.”
But that lack of knowledge isn’t particularly surprising, as two thirds of non-IT respondents said their businesses or mission areas were “barely involved,” not involved at all, or unsure if they were involved in developing project requirements and plans for internal or external technology services.
“Field managers are rarely asked what they need for major IT projects these days,” said one respondent.
And two-thirds of non-IT respondents also said their offices did not often get to review and comment on new technology capabilities that are under development and before they are launched to the general public or broad internal audience.
But there is some agreement between the IT and non-IT respondents: non-IT respondents also rated lack of training as one of the biggest obstacles to implementing DevSecOps.
And while these respondents also pointed to software tools and the budget process as major obstacles, 63% also said collaboration within the agency is difficult. Zero respondents said it was easy.
But there seems to be an appetite for this kind of culture change among non-IT respondents. Half said creating collaboration and trust outside of traditional silos was a major benefit to implementing dev/sec/ops, while 61% are excited about automation of redundant or time consuming processes.
Ultimately, one respondent summed up the situation fairly well: “There are a few small pockets of success, but the strategy … is still too fragmented,” they said. “It is possible to achieve, but is currently very reliant on a small, fragile leadership cadre.”
As the culture spreads outward from the IT community into federal agencies as a whole, that leadership cadre should begin to grow more robust and widespread, allowing the concept to flourish.