For all of its challenges, 2016 was a year of inspiring innovation.

SpaceX proved we can have reusable rockets by taking a page from a science fiction book and launching a rocket then landing it vertically on a moving boat. Enter a new era of space travel.

Tesla sent all of its cars a software update that suddenly made autonomous driving a reality. Enter a new era of transportation.

Netflix, Facebook and Etsy have perfected the art of moving code from production to market more than ten times a day. Enter a new era of DevOps.

Except… maybe not.

It’s not that inspiration is a bad thing; but by looking only toward the most exceptional, best in class DevOps organizations, most companies are doing themselves a great disservice.

Why? For many in DevOps, deployment is still a headache. Forget massive innovation. How about having a simple continuous integration and deployment pipeline setup? Forget 10 times a day. How about just getting code out the door in a smooth and cost-effective way? Oh, and by the way, it all needs to be secure.

And by setting sights as high as, say, Facebook, many organizations feel like they’re failing before they’ve even started.

 

The reality for many

Right now, you may be one of many professionals who live and breathe in a “DevOps environment” that has you besieged by cost overruns and project delays. You’re likely hitting security and compliance problems as well, am I right? You’re facing security teams and auditors who are freaking out that your automation will create the Wild West of noncompliance and increase security risk.

Continuous deployment can be hard. In fact, all of automation can be hard. Infrastructure automation at scale requires specific skills and a change in culture.

Security is hard too. I get it. You have but a few defenses, little budget, no power and little staff. And yet your invaders just keep sending wave of attack after wave of (often automated) attack. They never tire or run out of money or time.

And yet, it’s possible.

 

How to make a functioning, secure DevOps your reality

Don’t be discouraged. No one would have asked Elon Musk to land that rocket when he founded SpaceX 15 years ago. By the end of 2017, it is possible to create effective automation and security while keeping your costs at bay and delivering new code at a regular fast clip.  

There are loads of existing frameworks, regulations, etc., that tell organizations specific things to do, but we must think bigger and transform the business itself.

Enter the concept of Lean Security as a business management model. This essentially marries the lean principles that have proven so successful in industries like automotive manufacturing with agile development, Dev(Sec)Ops, TDD and the business as a whole.

How to get started?

Think culture: It’s important to remember as you take on a DevOps strategy that, above all else, it’s a cultural shift. You can deploy all the orchestration and automation tools in the world, but if your teams are not working together toward a single goal in a blameless organization, then all you’ve done is spent your hard-earned budget on the shiny new object that isn’t going to move the needle.

Start small: When you start a DevOps transition, start small, because you will have to continually learn, adapt, iterate and grow. You can’t just throw a magic switch and expect everyone to collectively be doing DevOps. First of all, how your company migrates to DevOps is going to be specific to your organization because not every company and culture is the same. I always recommend as a first step that development and infrastructure professionals talk to as many people as possible who have been through the transition in other organizations. Then apply those lessons in a way that makes sense for your unique organization, culture and teams.

Watch out for the Fierce Four of Failure: Remember that DevOps transitions always fail for one of four reasons: cultural roadblocks; failure to identify and take action on mistakes as you go; failure to learn from past mistakes; and most importantly, failure to include security — either early on or at all.

The single most common reason that DevOps strategies fail is the emergence of cultural roadblocks. I’ve rarely seen it come down to a technical tools problem; usually there’s a disconnect between the DevOps team and executives or other parts of the organization. It takes a concerted effort to get everyone on the same page. Everyone is working toward the same goal, but too often, they don’t realize it.

One of the most appealing aspects of DevOps is that it allows issues and mistakes to be spotted and fixed on the fly. Because it’s a constant process of adapting, smaller incremental changes are always easier to handle. DevOps teams should look for the single change in a monthly release that resulted in an unexpected security hole, instead of thinking they’ll tackle all changes with a huge release down the road.

And remember, it’s always important to learn from past mistakes, but with DevOps, it’s critical. Too often, organizations only conduct investigations and postmortem analyses in the event of a catastrophic failure. In that situation, the teams and individuals involved are immediately on the defensive. To effectively understand and learn from the past, the discussion has to be neutral and without blame or consequence, and this is a difficult concept for organizations to grasp. The keys are to conduct team meetings regularly and in the most neutral way possible.

The bottom line is that Rome (and SpaceX and Facebook) weren’t built in a day. There is a clear path forward for those looking to deploy a highly successful DevOps program, you just have to know where to look.