DevSecOps in the public sector — how to build the right team
In Sergio’s previous “DevSecOps in the public sector’ blog, he looked at how to create the right culture within an organisation. This time, he focuses on how to build a great DevSecOps team.
Let’s get one thing out of the way, whatever you do, you’ll never create that ‘dream DevSecOps team.’ The team you create won’t be perfect. But my experience of building DevSecOps teams from the ground-up tell tells me it doesn’t need to be. You want to be pragmatic and build a team that constantly makes progress — and perfection can be the enemy of progress.
So, here are my top tips on how to mitigate some of the risks and build a successful DevSecOps team
1. Get team players with the right mindset
Your DevSecOps team needs to understand the big picture. From experience, I’ve noticed some DevSecOps teams fail to consider what the customer set out to achieve. Engineers (developers, platform engineers, etc.) tend to focus on the technical details and sometimes forget about the user experience and the organisation’s goals. Not working towards key priorities can lead to inefficiency.
It’s why having a product mindset approach is fundamental for your DevSecOps team. Every effort by the team has to be linked to the organisation’s goal. A product manager helps people focus on what’s important — and I would strongly recommend one for a DevSecOps team.
Needless to say, being a team player is important, as is communication. I’ve come across professionals who are good technically but couldn’t integrate well into the team. These people work well on projects in isolation but not so good at being part of a team. The DevSecOps approach requires team players.
2. Attitude first, aptitude second
Technology changes fast and so the knowledge of your DevSecOps team must keep pace. Opt for people who are keen to learn and share knowledge above experts in one technology who hate leaving their comfort zones. Don’t get me wrong, I don’t think a service can be delivered and maintained by enthusiasts alone. The team mix requires people with knowledge too. But I cannot stress enough the importance of having people with the right attitude.
A few years ago, we hired a technical architect that on paper looked good. The CV was impeccable. This person claimed to have led the implementation of world-class web applications (including managing Agile and DevOps teams). The reality was unfortunately quite different and we had to let this person go. But the positive side of the story is the team stepped up. A less experienced developer took a lead role — he understood the needs of the project and translated them into technical requirements. The team, including two graduates, were energised and the project was back on track. They all had the correct attitude.
3. Multi-disciplined and full-stack
A DevSecOps team needs to be multi-disciplined with specialists in different areas (e.g. front-end, back-end, platform etc.) but it also needs some degree of full stack.
Full stack can mean different things to different people. For me, a full stack engineer understands and implements (to a certain degree) a feature end to end. This includes front-end, back-end and platform. But most importantly, they understand the business benefit.
4. Identify “problem people”
I like — as I call them — “problem people”. I am one myself. I don’t mean people who create problems but those who thrive in resolving problems when they occur.
In one of our projects Zaizi is just one supplier, amongst many others, delivering different parts of a service to a customer. On one occasion a problem stopped users from accessing the service. There was pressure from the customer’s senior stakeholders and some suppliers started blaming each other. We, at Zaizi, did not get involved in the politics and set about identifying and resolving the issue taking an empirical approach. We couldn’t have done it without the experience and problem-solving mindset of our team members who resolved the issue successfully.
Find people who see an opportunity to show their value. A DevSecOps team needs as many “problem people” as possible.
5. Good security is enough
Getting security right — like most things in life — is a question of balance. You could ignore the threat and get hacked. Or you could get paranoid and overengineer the security controls, wasting time, money and making the service difficult to use.
The key is to analyse and model security threats from the beginning, and continuously. Remember what I mentioned was the motto of one of our clients in the previous blog?
“User experience has to be the best, security has to be good enough.”
For them, good enough security is good enough. And that’s for a central government organisation that sees security as integral — yet it still prioritises user experience over everything else. I’ve come across security people who’ve thought the other way around — that security has to be the best. That mindset leads to overspending and poor user experience.
So, how can you ensure your team has correct skills to get the security balance right?
- Make sure the whole team is trained on cyber-security. There are good courses out there to help you do that.
- Ensure your security specialists (e.g. security analysts, architects, pen testers) have experience implementing security through Agile and DevSecOps.
- Your security specialists should have demonstrable experience designing security based on levels of threat.
- Avoid security by obscurity and take a pragmatic approach by setting up game days, internal hackathons etc. involving the whole team and external collaborators.
It’s not easy creating a team with the right blend of experience and enthusiasm — and remember it won’t be perfect. But if you consider the above points when devising your DevSecOps team, you’ll be on the right tracks.
Next time, I'll look at what I think the essentials are when it comes to implementing a DevSecOps model.