If you thought there was a lot of chatter about Kubernetes in 2018, you ain’t seen nothing yet.
3 ways to empower and retain DevSecOps professionals
Security talent is critical right now: Use these strategies to attract and keep security pros who embrace DevSecOps
Organizations have increasingly adopted DevOps and, more recently, DevSecOps, as the best way to ensure that enterprise IT systems stay up-to-date, secure, available, and continuously tested and monitored. Unfortunately, due to the current state of the IT talent gap, engineers who embrace DevSecOps have become increasingly difficult not only to find but also to retain.
One of the best ways to attract and retain top talent is to understand that DevOps and DevSecOps are a mentality and not a role or team. That's similar to how you may use agile methodologies, but don’t have "agile engineers” on your team. Recognizing this nuance and embracing the principles of "treating security and infrastructure as code" will enable you to lead a top-notch team that applies these practices properly.
[ Read our related story: Hiring security gurus: 3 strategies to find scarce talent ]
Upon this foundation, the next three most important things I think you can do are: aligning the teams, investing in the individuals, and empowering them to innovate.
1. Align efforts and reduce tension
Operations and security teams can complement and support each other, work completely independently from each other, or worse, compete and conflict with each other. Sometimes, having separate teams can lead to duplicative efforts that are not well coordinated, resulting in teams being at odds with each other. I've seen security teams blame operations for vulnerabilities or lack of actionable alerts. Similarly, I've seen operations teams view security as unnecessary gatekeepers that put their delivery timelines at risk with unreasonable requirements.
DevSecOps recognizes that both teams have similar requirements for system documentation, context, monitoring, and alerting. It requires engineers to work together to develop, review, and test the infrastructure from multiple perspectives simultaneously, while also allowing them to focus on their areas of strength. Because of this, adopting DevSecOps and combining the two teams into a single infrastructure team is an effective way to foster cooperation between these two disciplines.
2. Invest in IT and security pros early and often
While this one sounds like a given, nurturing an infrastructure team member from the beginning is critical. When the time to initially train an engineer, or any employee for that matter, is not allotted, it can be very detrimental to the employee’s ramp up and onboarding with the organization and can often result in high turnover amongst new employees. Furthermore, due to ever-evolving cybersecurity threats and advancements, infrastructure personnel need continuing training programs that keep them up-to-date to enable them to be effective.
Invest the time and resources to properly train staff from the start. Create a training program that includes three phases: onboarding, development, and retention. The onboarding phase should focus on the team's processes, best practices, and the fundamental skills and knowledge needed for the role. During the development phase, the training should focus on delivering more advanced topics and help individuals stay current with emerging threats, techniques, etc. Finally, the retention phase should present more advanced topics in areas that they will need in their next role as they advance in their career.
3. Create opportunities to innovate
The best infrastructure engineers I have worked with are driven by a sense of ownership and empowerment. I’ve found that if IT leaders provide guidance, freedom, and agency, then they will have a team that is continuously motivated and self-driven. This is because engineers enjoy solving problems, knowing that their solutions matter, and seeing their positive impact on the business.
Giving infrastructure engineers the time and space to operate is critical. This includes setting aside time for innovation, including researching and prototyping new solutions. From my experience, no engineer wants to continue working on the same thing day in and day out.
Due to this, IT leaders need to make sure they are empowering their teams to take advantage of new technologies to solve problems, but keep in mind that innovation should be driven by business needs. The best approach I've found is to challenge engineers to find and present business cases for new technologies or practices with clear guidance of the criteria you and the business will use to assess their proposal.
If you want to retain great engineers, make sure they do not get bored or disenfranchised. Not all engineers need to move up in an organization to feel like they are advancing in their careers; many just need to be challenged and constantly learning. By embracing DevSecOps and employing these ideas, you will create a strong, positive culture that exposes team members to growth and learning opportunities within your organization, keeping them interested and engaged.
[ Which of today's IT roles are vanishing? Read our related article, 4 dying IT jobs. ]