DevOps transformation can require a major shift in organizational culture and “the way things are done.” This can be difficult in any organization, but gets incrementally more difficult as the size of the organization grows. When you get to the size of the U.S. government, implementing DevOps can be seemingly insurmountable. But, it can be done.
For many organizations, especially a government agency, security controls can be a chief focus and one of the “reasons not to implement DevOps,” because security professionals mistakenly believe handing control over to others or automating the process will weaken security. Done well, it makes applications more secure. But the hurdles can be high to implement the necessary changes, especially in a bureaucracy where process and hierarchy trump efficiency.
Janek Claus and Svetlana Yazhuk work for General Dynamics Information Technology, implementing DevOps for clients. Svetlana is a DevOps engineer supporting a platform for continuous deployment of containerized applications for a large U.S. government agency. Together, they share challenges overcome and the platform they are using during their presentation at last year’s All Day DevOps conference.
Janek introduced several challenges to improving application security with DevOps. They are applicable to any large organization, with some specifics to the U.S. government.
Janek references a U.S. government report on the challenges on hiring and retaining enough security specialists, noting that 74% of agencies are “At Risk” or higher, according to the report. Of course, this is true across many other industries and organizations. Governments also see recruiting and retention challenges because employees want to work in modern environments. Training employees is also difficult because – as we all know – it interrupts the work everyone wants to do.