DevSecOps (development, security, operations) meets modern organizations’ need for flexibility and speed through continuous definition, design, development and deployment of business features, all driven by consumer experience. This is a hot topic as IT organizations struggle with changing business needs and pace. Done right, it can transform the value IT brings to an organization through agile, enabled product evolution, additional capabilities to drive competitive edge, high technological innovation and efficient management.
However, many organizations face challenges in implementing DevSecOps because it represents a fundamentally different way of structuring an organization’s people and how they work. It therefore requires a different model of leadership and a culture that fosters ownership, empowerment and customer-centricity. Employees often struggle to work in this new way, and for an organization’s leaders, a traditional transformation and management approach is ill suited.
For organizations that are thinking about moving towards a DevSecOps model, the following are a few considerations to keep in mind.
Support the change in culture
While organizations understand the need to transform their culture and ways of working to succeed under DevSecOps, many fail to plan for the transformation and thus neglect to support the transition.
DevSecOps requires a new leadership framework to empower and develop teams. Leaders should serve as role models for the change leadership behaviors. Not only is the top-down approach important to executing DevSecOps, but employees must also be willing to learn and take ownership.
Build the capabilities of the future
A significant number of DevSecOps initiatives fail due to scarcity of technical doers and high-tech talent. In addition, organizations will have to fill some obvious skill gaps, including customer-centricity and soft skills such as collaboration, flexibility and problem-solving. This also includes understanding interdependencies across teams.
A number of initiatives that can help organizations establish the right workforce blueprint for success include:
- Providing essential coaching and mentorship to upskill current employees
- Building skills across functional areas through cross training or movement between groups
- Developing new leaders of the future and building a strong talent pipeline
- Updating the performance management process to reflect the requirements and opportunities provided under a DevSecOps model for fast-paced personal development, continuous feedback against key business metrics and a more flexible career model
- Tracking, recognizing and rewarding desired behavior
Employers also need to recognize that not all their people will want or be able to work under DevSecOps models, and some will likely leave. Consequently, organizations should create a DevSecOps talent strategy to set a direction for the resulting talent acquisition programs.
Structure the organization to enable DevSecOps
Organizations are traditionally structured in a hierarchical fashion across two dimensions: products/service lines and technical functions. However, to support the integrated model of DevSecOps, it’s important to adopt a matrix structure with a balanced approach to people management:
- Work management of products and services: In this dimension, teams are focused on market differentiation, delivery of new products/services or resolving specific customer challenges, primarily using agile or iterative delivery approaches to design, test, launch and iterate a solution.
- Resource management of technical functions and business subject matter expertise: This dimension is focused on continuous organizational growth, development of knowhow and insights into specific topics. This also includes efficient management of resource allocations/reallocations across work streams.
- People management: This dimension is focused on establishing a culture and lifestyle to help people cope with stress and encourage collaboration to achieve the organization’s strategic objectives. This can help employees with continuous personal growth and achievement of their career goals.
Most organizations understand the need to transform their organizational structure and ways of working to succeed under an agile organizational model. However, many focus on one or two of these dimensions but fail to fully plan for the transformational journey and don’t provide the right support to their teams and staff during the transition. Winning organizations are applying these three dimensions to their organizational structure so they can respond more quickly and efficiently to market dynamics.
Focus on change management
Just because the organizational model is being moved toward DevSecOps, it doesn’t mean that leading practice approaches to change management can be ignored. Moving to DevSecOps doesn’t happen overnight — organizations need a structured and long-term plan to transform and sustain the changes.
It’s important to invest in a program of change interventions that reflects the complexity of the move to a DevSecOps model. This change program needs to include strategic segmentation of employees so that communications, engagement and resistance can be managed in a more personalized and targeted way. As with all successful change programs, it needs to identify, activate, support and empower change champions across the organization.
