DevSecOps: Focus training on 3 key areas

DevSecOps: Focus training on 3 key areas

Training teams on how to make DevSecOps work? Change management often leads the priorities, but don't ignore two related factors

up
104 readers like this
CIO digital transformation

DevOps, with its fast and frequent release cycles, is the new environment that organizations need to contend with in order to stay competitive in the market. It is especially challenging when security considerations come into play, since developers don’t often have secure coding expertise and since security practices traditionally stall release cycles. 

Despite its necessity, establishing a DevSecOps environment in an organization is no simple feat; it is a complicated, multi-layered process, and much of its success relies on the reinforcement of strong training principles. Managers are often left wondering what specific aspects of training need improvement, as well as which concrete steps they can take to effect real organizational change.

To clarify these questions, we came up with a breakdown of the training components that require attention, as well as an outline of the necessary steps for training your team to operate well in a DevSecOps environment. 

[ Read our related story: Hiring security gurus: 3 strategies to find scarce talent. ]

When we consider the training issues related to DevSecOps, there are essentially three different areas that we need to consider: Change Management, capabilities, and roles. Although we often hear about the importance of roles, there is a broader scope we must consider in order to be effective. In fact, these three focus areas are all inter-related.

1. Change management 

Looking at change management, there are two attributes to consider. First of all, we need to consider the transition states. These will bring the people in an organization from their current state to the desired future state, and they’re a necessary, yet often overlooked, part of the process. So, it is strategic in nature: Which transition state will draw your team away from their current state and toward the desired state? Many engineers in DevSecOps environments are not aware of change management principles. They need to be educated on this important topic, since it is integral to establishing a successful DevSecOps environment. 

The second attribute to consider is contribution to the change process. Many change management initiatives fail because of the cultural inertia, and there is significant training involved in getting people on the right side. Helping teams to identify team leaders, or "security champions," aligning employees’ motivations with organizational priorities, and providing support for their teams becomes the prescriptive work of the aforementioned change-management training. 

2. Capabilities 

When it comes to capabilities, here we primarily mean skills. First, there's the technical side of the skills. This is what we usually hear about in the industry. It means things like Continuous Integration (CI) and Continuous Deployment (CD), testing, automation, and so on. Within this domain, we have to move away from undisciplined activities toward more rigorous and in-depth understanding.

This means hard work; there are no shortcuts to achieving this. Here, we see an immediate connection with change management, namely, the need for change management leadership to support this type of discipline and skill refinement. 

[ Why is CI/CD so important? Read our related article: DevOps success: Why continuous is a key word. ] 

Enhance an individual's existing role so that they gradually transform into specialists within a number of different areas.

Second, retention of that knowledge matters. With a lot of time and resources, it is possible to let DevSecOps teams learn naturally. But, in reality, we need to shorten the time frame for learning. Ideally, we want to have an expert alongside team members, while allowing team members to practice in real-world situations.

The best of both worlds emerges with just-in-time-training. This training offers micro-modules that prepare teams to understand security concepts, and, using these courses, developers can immediately start applying this knowledge to their work context. What you end up with is a continuous recall methodology that ensures learning concepts stay within the mind of the individual.

3. Roles

Finally, when it comes to roles, we have to train teams on understanding personal change. It is a requirement for people to understand how their roles will change in the future. Many teams are used to specialization (testing, coding, and so on). What we need to do is train people out of that type of myopic thinking, and to broaden their perspectives so they can think more critically across multiple domains. The goal, then, should be to enhance an individual's existing role so that they gradually transform into specialists within a number of different areas.

In the end, training people on DevSecOps is not about a single approach. A broader perspective is needed to successfully establish this kind of environment. Systems thinking is essential to drive the necessary change in behavior, which is the intent of successful training programs.

[ Read also: DevSecOps: 7 habits of strong security organizations. ]

Altaz Valani is the Research Director at Security Compass responsible for managing the overall research vision and team. Prior to joining Security Compass, Altaz worked as an IT industry analyst covering application development – including agile, cloud, mobile, and the overall SDLC.

7 New CIO Rules of Road

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Kassie Rangel
October 11, 2019

Creativity represents an essential ingredient for any company, regardless of the industry.

Submitted By Stephanie Overby
October 10, 2019

Augmented reality and virtual reality are often confused – but they’re more like technology cousins than twins. Let’s explain both in plain terms and examine some AR and VR use cases.

Submitted By Carla Rudder
October 10, 2019

Think agile is all hype, or that it isn’t right for you? One of these common roadblocks could be standing between your organization and the promised benefits of agile project management.

x

Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.