TL;DR / Summary at the end of the post. The information shared in this series is derived from my experience building the DevSecOps program at Thermo Fisher Scientific (a global Fortune 100 laboratory sciences company).
Full Disclosure up-front: I am employed as a Code Scanning Architect at GitHub at the time of publishing this blog post.
Recapping Security Maturity in relation to DevSecOps
As stated in the first post in this series - in the age of DevSecOps, security has become part of the design and build process; the maturity required to integrate seamlessly into the development process has changed significantly from the days of “put a firewall in front of it and call it done”.
As it stands today, Security Maturity - in terms of both teams and their technologies - can be measured across four stages based on the direction they’re heading (forward ➡️ or backward ⬅️), and the outcomes they produce. I think of these four stages in terms of breadth and depth as follows:
Compared to immature teams, adolescent teams have started their maturity journey with open eyes and ears. They tend to have a general understanding of the direction they need to be heading in, and understand that they aren’t on this journey alone. While they still face some challenges, adolescent teams will at-least start building momentum through communication.
With adolescent teams, communication begins in advance of starting new projects or initiatives. While not always with as much advanced notice as stakeholders and dependent teams would like - or with all of the necessary stakeholders included - adolescent teams will at least start building a coalition of interested parties when they take on new efforts.
As a result, adolescent teams might frustrate other parts of the organization at times - but the efforts put into communicating will plant seeds for future relationships across the company. Due to this level of communication, investments adolescent teams make (or solutions they build) are modestly informed - and therefore have at least some positive impact.
While adolescent teams still create some friction, it is largely positive in that it engenders conversations and builds relationships. One area that adolescent teams can focus on to grow their maturity is through building consensus and focusing on strategic initiatives that scale.
While coordination might feel strained at times, by communicating with stakeholders an adolescent team has minimally prepared others for upcoming projects or initiatives. That being said, such teams will still inconvenience others with their work - but are generally cognizant of this fact, and work to build relationships in hopes of generating opportunities for future collaboration.
Most of the friction adolescent teams experience will come from making investments (in either commercial solutions or in time for building home-grown solutions) that are challenging to scale. This challenge often comes to light during coordinated efforts with other teams. Implementing an adolescent team’s solution(s) will often take longer than planned, and sometimes fail to integrate properly due to a lack of collaboration between teams.
To the frustration of their stakeholders, collaboration tends to happen late in the process for adolescent teams. This delay in collaboration causes such teams to make decisions without consulting their colleagues - or allowing stakeholders enough time to analyze the situation and provide feedback without needing to sideline other priorities.
Likewise, the immature side of adolescent teams reveals itself when such teams choose to delay collaboration because they’re concerned about being derailed from the track they’re on. There is an element of selfishness happening when adolescent teams act this way, and to reach maturity they will need to grow out of this bad habit.
How to support this content: If you find this post useful, enjoyable, or influential (and have the coin to spare) - you can support the content I create via Patreon.️ Thank you to those who already support this blog! 😊 And now, back to that content you were enjoying! 🎉
With adolescent teams, success is measured by the pace with which the team implements new and innovative solutions. There’s a sense of progress they feel when experimenting with novel solutions, and accomplishment comes from kicking-off implementation of something new.
Don’t get me wrong - a lot of the new processes and technologies an adolescent team implements can lead to positive outcomes for the company. The real challenge will be taking these upstart ideas and scaling them into repeatable, well documented, mature processes that the company can adopt efficiently.
In order to grow up, adolescent teams need to learn to manage their energy and focus. Likewise, adolescent teams need to practice patience.
By focusing on fewer (but impactful) initiatives and measuring smaller increments of progress, adolescent teams can build feedback loops that reinforce the value and importance of their work. This will help deliver satisfaction over longer time horizons, which all initiatives require when scaling in the enterprise.
Moreover, in pursuing this focused approach adolescent teams need to spend additional time building relationships. This can be accomplished by communicating and collaborating with stakeholders earlier in their process, which will alleviate the friction created when trying to scale investments across the company. It will likewise help inform adolescent teams which initiatives might fail earlier in the investment cycle, allowing them to pivot toward more impactful work.
TL;DR / Summary
Through earlier communication with stakeholders, adolescent teams begin to build relationships with their colleagues. And while adolescent teams might frustrate other parts of the organization by not communicating far enough in advance, the efforts put into communicating will help develop ongoing relationships across the company.
Likewise, coordination happens more frequently with adolescent teams due to ongoing communication with stakeholders. Through coordinated efforts such teams build relationships across the company, which makes it easier to collaborate later on as the team starts to mature. That being said, this is usually where friction starts to occur for adolescent teams when they learn that their investments are difficult to scale.
And while adolescent teams still sometimes revert back to immature behaviors like delaying or avoiding collaboration until it’s too late to change direction, with enough time and practice these teams will grow out of their immature behaviors.
That being said, maturing the measurements for success will require a lot of growth from adolescent teams who generally build their sense of accomplishment from implementing new tools and starting new initiatives. Sticking with initiatives and scaling them across an enterprise takes patience and focus, which are personality traits that take time to build - and will be out of character for some people.
Ultimately what adolescent teams need in order to become a mature organization is to spend more time collaborating with stakeholders earlier in the process of planning new investments. This will help such teams choose investments that meet more of their stakeholder’s needs, and will make it easier to scale those investments across the company.
Finally, not all teams will reach maturity with the same group of people that started the journey. Some people just don’t have the patience to take a new initiative and scale it out across a company - and that’s okay. All teams need innovators with a “start-up mindset” at some point in their journey; learning to benefit from such people is also a sign of maturity.
And with that, thanks again for stopping by to read more of my pseudo-random musings 😊 While I work on the next blog post discussing Adolescent Technologies, you can
git checkout other (usually off-topic) content I’m reading over at Instapaper - or take a stroll through my DevSecOps Essentials series to discover the worthwhile investments your DevSecOps program might benefit from.
In the mean time, remember to
git commit && stay classy!
Keith // securingdev
If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thanks once again to those who already support this content!😊