How does security work in a successful enterprise DevOps initiative?
TL;DR: Take 15 min to complete the 2019 State of DevOps Survey!
Last year we did something different with our annual State of DevOps Report, based on consistent feedback we’ve heard over the years. We gathered these insights from folks in enterprise environments attempting to use DevOps practices to improve their software delivery lifecycle and the reliability of their infrastructure.
This feedback was that while our industry has a reasonable idea of what it takes to make a team successful using DevOps practices, most people are still struggling trying to level up their entire organization. We’re hearing over and over again that most organizations have pockets of success, but they haven’t worked out how to replicate that success at scale.
Building a more prescriptive guide to DevOps success at scale
We know there are organizations out there succeeding at this. We’re also skeptical of rigid maturity models that claim to produce a fixed end goal. Instead, my 2018 co-authors Alanna Brown, Andi Mann and Michael Stahnke and I want to respond to and answer a constant request for more prescriptive guidance, particularly from organizations just starting out with their DevOps initiatives that have a large legacy environment.
Thus, our survey last year focused on developing an evolutionary model to advise people who don’t know what to do next. It’s clear there are many ways to succeed at deploying these cultural and technical practices, and that all organizations face different challenges. After poring over the findings, we’re all generally subscribers to the idea that there’s no “one size fits all” formula, and instead, a set of established, key patterns that lead to success.
We introduced the DevOps Evolutionary Model in 2018
By surveying people about what practices they deployed and when, our research produced a DevOps Evolutionary Model that has produced quite a few insights, and resonated well with the thousands of people we’ve presented it to, in audiences large and small.
Check out the model and the research in the 2018 State of DevOps Report, if you haven’t yet.
Which types of DevOps teams are most successful?
The most evolved organizations are those where trust is high, where it’s easiest to cross organizational boundaries to get work done, where consistent automation platforms exist, and where patterns, practices and platforms are shared across teams to mutual benefit.
One of the most fascinating findings was around how security practices and teams fit into an organization that’s achieving success with DevOps practices, or “DevSecOps” if you like; these highly evolved organizations are achieving significant results in terms of applying automation to security considerations, they’re not just “shifting left” in terms of where security teams interact with development and operations teams in the software delivery lifecycle.
The combinations of high trust environments, autonomous teams, pervasive automation platforms and cross-functional collaboration between application teams, operations teams and security teams are enabling capabilities such as automated incident response and transparent security policies as code.
We need to learn more from “DevSecOps” practitioners and managers out there
We all wanted to explore this area further and see if we could discover not only whether there are common underlying patterns and practices within these organizations that enable tighter integration with security, but whether this all actually results in better business outcomes. There’s a lot of security theatre out there in enterprise environments, and thus a lot of skepticism about whether most of the work done in this area results in improved security postures and how much poor security practices actually hurt businesses.
Please take our 2019 survey
We need your help! Alanna Brown, Andi Mann, Michael Stahnke and myself would really appreciate you taking a quick 15 minutes out of your day to complete this survey!
We know your time is precious so we’ve done our best to make the survey as concise and thoughtful as possible. As before, we’re offering 25 gift cards ranging from $500 - $100 (see contest rules for details).
We can’t wait to see the results of this year’s survey and continue the conversation!
Nigel Kersten is VP of Ecosystem Engineering at Puppet.