DevOps, with its fast and frequent release cycles, is the new environment that organizations need to contend with in order to stay competitive in the market. It is especially challenging when security considerations come into play, since developers don’t often have secure coding expertise and since security practices traditionally stall release cycles.
Despite its necessity, establishing a DevSecOps environment in an organization is no simple feat; it is a complicated, multi-layered process, and much of its success relies on the reinforcement of strong training principles. Managers are often left wondering what specific aspects of training need improvement, as well as which concrete steps they can take to effect real organizational change.
To clarify these questions, we came up with a breakdown of the training components that require attention, as well as an outline of the necessary steps for training your team to operate well in a DevSecOps environment.
[ Read our related story: Hiring security gurus: 3 strategies to find scarce talent. ]
When we consider the training issues related to DevSecOps, there are essentially three different areas that we need to consider: Change Management, capabilities, and roles. Although we often hear about the importance of roles, there is a broader scope we must consider in order to be effective. In fact, these three focus areas are all inter-related.
1. Change management
Looking at change management, there are two attributes to consider. First of all, we need to consider the transition states. These will bring the people in an organization from their current state to the desired future state, and they’re a necessary, yet often overlooked, part of the process. So, it is strategic in nature: Which transition state will draw your team away from their current state and toward the desired state? Many engineers in DevSecOps environments are not aware of change management principles. They need to be educated on this important topic, since it is integral to establishing a successful DevSecOps environment.
The second attribute to consider is contribution to the change process. Many change management initiatives fail because of the cultural inertia, and there is significant training involved in getting people on the right side. Helping teams to identify team leaders, or "security champions," aligning employees’ motivations with organizational priorities, and providing support for their teams becomes the prescriptive work of the aforementioned change-management training.
When it comes to capabilities, here we primarily mean skills. First, there's the technical side of the skills. This is what we usually hear about in the industry. It means things like Continuous Integration (CI) and Continuous Deployment (CD), testing, automation, and so on. Within this domain, we have to move away from undisciplined activities toward more rigorous and in-depth understanding.
This means hard work; there are no shortcuts to achieving this. Here, we see an immediate connection with change management, namely, the need for change management leadership to support this type of discipline and skill refinement.
Second, retention of that knowledge matters. With a lot of time and resources, it is possible to let DevSecOps teams learn naturally. But, in reality, we need to shorten the time frame for learning. Ideally, we want to have an expert alongside team members, while allowing team members to practice in real-world situations.
The best of both worlds emerges with just-in-time-training. This training offers micro-modules that prepare teams to understand security concepts, and, using these courses, developers can immediately start applying this knowledge to their work context. What you end up with is a continuous recall methodology that ensures learning concepts stay within the mind of the individual.
Finally, when it comes to roles, we have to train teams on understanding personal change. It is a requirement for people to understand how their roles will change in the future. Many teams are used to specialization (testing, coding, and so on). What we need to do is train people out of that type of myopic thinking, and to broaden their perspectives so they can think more critically across multiple domains. The goal, then, should be to enhance an individual's existing role so that they gradually transform into specialists within a number of different areas.
In the end, training people on DevSecOps is not about a single approach. A broader perspective is needed to successfully establish this kind of environment. Systems thinking is essential to drive the necessary change in behavior, which is the intent of successful training programs.
[ Read also: DevSecOps: 7 habits of strong security organizations. ]
Subscribe to our weekly newsletter.
Keep up with the latest advice and insights from CIOs and IT leaders.