Resources Blog The What and Why of DevSecOps

The What and Why of DevSecOps

In IT is is especially easy to get caught up in the How of just about any facet of our work. It all seems so mechanical, just tell me what tools to use and how you want it architected and we can go bang out a solution, it's what we do. DevOps and DevSecOps have been no different as we tend to focus on the CI/CD pipelines and which tools to integrate into it. Hopefully this article will ground us in what DevOps is when we pull back the curtain and why that matters.

The ‘What’

To me, DevOps is fundamentally about creating a culture of learning. This is in stark contrast to the prescriptive and heavily planned nature of the past. Instead of trying to gather all of the requirements and understand all of the use cases, and then telling people what to do, we learn as we go. Any quick search on DevOps and culture should take you to the acronym, CALMS. Originally coined CAMS by John Willis and Damon Edwards after the first US based DevOpsDays event held in Mountainview California in 2010, it stood for Culture, Automation, Measurement, and Sharing. Jez Humble later added the L, for Lean, making it CALMS.The problem with an acronym is it comes off as a list of things but I want to connect them all. For me, it always starts with A Culture of… A culture of automation, a culture of lean, a culture of measurement and a culture of sharing. Where ‘culture’ means, the set of shared attitudes, values, goals, and practices that characterizes an institution or organization. In simple terms, expected norms, all of which support a culture of learning and going faster.

DevSecOps is still a culture of learning but we are explicitly inviting Security to the game of delivering customer value faster. Security can no longer keep to themselves and be seen as a barrier to delivery, instead we want them to embrace automation, lean, measurement, and sharing, like the rest of us, and learn to become an accelerator.

The ‘Why’

It should be uncontroversial to say that everyone at a given company wants to deliver customer value, faster with high quality. In today’s terms, customer value is mostly delivered via software, high quality means secure, performant, and free of defects. Assuming we can all agree on this simple concept we can start to see how our cultural norms help us achieve these goals. Automation and Lean are all about going faster while removing waste. Measurement and Sharing help us to continuously learn. Organizations that have cultivated a culture of learning become not just resilient to change, but adept at it, which is true agility.

While being resilient to change is helpful for when we need to react to disruptions in our industry there is another benefit. William Pollard, a principal founder of the Oakridge institute of Nuclear Studies has said “Learning and innovation go hand in hand. The arrogance of success is to think that what you did yesterday will be sufficient for tomorrow.” Being innovative can mean your organization is the one doing the disrupting and forcing the competition to react, testing their agility.

If being resilient or innovative isn’t compelling enough, let me leave with two Peter Senge quotes. Peter Senge is the author of the Fifth Discipline and senior lecturer at the MIT Sloan School of Management and was named "Strategist of the Century" by Journal of Business Strategy,

“A learning organization is a group of people who are continually enhancing their capabilities to create what they want to create”

“The only sustainable competitive advantage is an organization's ability to learn faster than the competition.”


Picture of Curtis Yanko

Written by Curtis Yanko

Curtis Yanko is a Sr Principal Architect at Sonatype and a DevOps coach/evangelist. Prior to coming to Sonatype Curtis started the DevOps Center of Enablement at a Fortune 100 insurance company and chaired a Open Source Governance Committee. When he isn’t working with customers and partners on how to build security and governance into modern CI/CD pipelines he can be found raising service dogs or out playing ultimate frisbee during his lunch hour. Curtis is currently working on building strategic technical partnerships to help solve for the rugged devops tool chain.