4 ways to foster a DevSecOps culture at the executive level

As I wrote in my first article in this series, "creating a DevSecOps culture is foundational to any DevSecOps transformation." While your executives may not be writing code anymore, they still play a role in fostering a DevSecOps culture, one that supports integrating security throughout the IT lifecycle rather than making it a distinct process.

Typically, your chief technology officer (CTO), chief information officer (CIO), and chief information security officer (CISO) have the most influence on the success of your move to DevSecOps. These executives also have the most to lose.

Challenges to DevSecOps at the exec level

Challenges to fostering DevSecOps transformation at the executive level revolve around fear of change.

One big challenge is the executive who is still stuck in waterfall development, and the mere thought of DevSecOps strikes at how they've been doing their job for decades. They're comfortable with the gated approach to software development. The prospect of DevSecOps challenges their real or implied control.

When you walk down "executive row" (in the days when we all worked in offices), you discover another level of relationships, brinkmanship, and corporate politics at play. You must refocus your definition of DevSecOps success for your executives, which may differ from the emphasis you give your team.

[ Download the complimentary guide to implementing DevSecOps. ]

4 pillars of DevSecOps success at the exec level

It's up to you to define success for your DevSecOps transformation at the executive level. Here are four pillars of success to give you an idea of what it takes.

1. Find an executive sponsor

Cultivating a DevSecOps culture at the executive level starts with finding an executive sponsor for your initiative. You want to set expectations about what DevSecOps can and cannot do for your organization. Undoubtedly, the prospect of automation will entice some of your executives. It's essential to work with these executives upfront to chart an automation roadmap or plan. You can introduce them to:

• Tasks to automate with business and technology cases
• Automation benefits for the organization and its customers
• Automation limitations and realities of keeping their expectations in check

Depending on your organization's corporate culture, selling DevSecOps at the executive level is necessary to gain an executive sponsor for your efforts at budget time. While this person doesn't need to be your CTO or your CISO, the best candidate is someone who has the most to gain from your move to DevSecOps.

Don't dismiss your sales VP as a DevSecOps advocate because the higher delivery velocity of well-executed DevSecOps can give them an edge over their competitors, primarily if your organization serves compliance-conscious customers. DevSecOps enables more reliable products and even feature delivery with a greater focus on security. That can help close business deals.

[ Learn how to explain DevSecOps in plain English. ]

2. Tell a DevSecOps story to a business audience

It's OK if you're all geeked out about DevSecOps. It's another thing to be that way when communicating about your DevOps-to-DevSecOps transformation to your executive team. While you may have a whip-smart executive leading your organization, it's hard at all levels of an organization to keep current with new technologies and software development practices.

Here are the three critical elements of a DevSecOps story for executives:

1. What DevSecOps is and isn't for your organization
2. Security and compliance benefits of DevSecOps for the organization
3. Potential budget for upskilling staff for DevSecOps

3. Insert DevSecOps into security and compliance discussions

To cultivate a DevSecOps culture at the executive level, you need to position it as a means for executives to get something they want. Maintaining security and compliance is the hook to getting your DevSecOps initiative the executive cover and support it needs.

4. Play the improved reporting card

Now that you have security embedded in your toolchains, you can offer your executives even more granular reporting on your software's secure development and operations. Implementing self-service reporting is one way to help stave off interruptions for your DevSecOps teams. Particularly in a remote or hybrid work model, self-service reporting improves executive confidence because the information is always available to them as teams work remotely.

Final thoughts

Although executives are layers above developers, they must be part of a DevSecOps culture to benefit from the transformation and see how it contributes to their organization's success. In addition, DevSecOps can help chart an organization's course through the digital transformation that the pandemic requires from so many enterprises. In my next article, I'll share 6 ways to support transformation across your organization.