First, DevOps. Then, DevSecOps. What’s next?

The job of a developer has becoming increasingly complex over the past few decades. Developers have been learning to navigate DevOps that emerged hand-in-hand with Agile and cloud computing to gain speed in deployment and operational synergies. Next, IT security came to the forefront, leading to DevSecOps. There is no doubt that considering security from the beginning is easier than implementing it later in the process. But there is one often repeated phrase touted by those seeking to influence companies to expand DevSecOps. They say ‘Security is everyone’s job”. I hate to be the contrarian here, but not everything can be everyone’s job. Some things require the right skill set to be done well. 

Many organizations thought DevOps meant both development and operations were everyone’s job. Now we are adding security to that mix. An unfortunate side effect of the DevOps movement is developer armies that are unhappy they’re no longer doing real development. What’s really needed is to ensure good project management practices to drive engagement, with operations, security, and development sharing basic knowledge to understand each other’s point of view and technical challenges. Let’s not try to have everything be everyone’s job. Let’s empower developers, operators, and security experts with the right information at the right time.

Management practices and skillsets aside, the advance of Kubernetes has added a middle layer between infrastructure and applications that helps to alleviate infrastructure concerns. DevOps teams can rely on the site reliability engineer (SRE) for some support, but it still won’t be enough. Why? Because DevSecOps engineers must ensure applications are available, monitored, remain secure and compliant. They also must build and maintain delivery pipelines, laying the groundwork to get code deployed quickly and safely.  Just reading the list of responsibilities is exhausting. As leaders, are we putting unrealistic expectations on our teams?

I’ve observed the most successful companies are those that provide a comprehensive tool set with the integrations required to keep the information and the work flowing with appropriate guardrails, yet empower people to take accountability. 

Are you wondering what the right tool set is? Each organization will have different needs, but a common requirement for all organizations is to have a modern and complete IT inventory. IT inventory will give you the information you need to plan, develop, sustain, rationalize and sunset your portfolio of applications and optimize effort and investment to maintain that environment. It enables automation and process integration so that people don’t have to duplicate effort to maintain individual baselines and create a consistent scope and ownership since everyone is looking for the same data. Inventory to a CIO is what insurance is to a homeowner. It’s something you rarely think about, but if you don’t have it the consequences are all consuming. Organizations must invest in process automation to keep inventory complete and up to date. Far from the more glamourous areas of IT, inventory is a key enabler that could make or break the efficiency levels of your IT operation. 

During your inventory journey, you may face questions or doubts about building a centralized or decentralized inventory or even to what extent you have to manage cloud environments since, “well, it’s on the cloud.” The only way to answer that question is with two very powerful questions: “What do you need the inventory for?” and “How you will guarantee that the data is current and complete?” Some platforms offer a large relational data model that has been enhanced and maintained for years with established configuration item classes. Keep in mind that tools and automation can reduce business complexity significantly, and help to deliver value faster. But they are still no substitute for good business process, and clearly defined responsibilities to prevent your system from becoming inundated with garbage data. People, and their behavior, will always determine success of any company.

By Flávio Del Bianco De Oliveira - Platform Architect