Dinosaurs vs Unicorns

What's it like to start a DevSecOps initiative in most companies? Yep, I think the image says it all. You're going to have a hell of a time convincing the dinosaurs that the end is near, and the asteroid is on it's way. What the industry is starting to confirm through trial and error is there are a couple things in the successful transition to DevOps/DevSecOps that will help keep your distance from the dinosaur jowls.

1 - It's a "Cultural" thing not a "Tool" Thing-a-ma-jig

Literally every company, every person, I've talked with who has had a successful DevSecOps initiative says the same thing. "Start with the cultural transformation piece. Tools are a de-coupled commodity. Cultural buy-in from the beginning is what sets the stage to being successful."

2 - Start small, very small, and show the ROI

Start with a small team, a small project, minimal risk, short time frame. Your objective is to show how your project will help the business, not to show how "cool" DevOps is. In fact, don't even use the words DevOps or DevSecOps. To paraphrase James Carville, "It's about the business, Stupid!" If you're talking about building a CI/CD pipeline as your first foray into DevSecOps, you've already jumped the shark.

Dinosaurs vs Unicorns

Cultural transformation and ROI are the two starting points to consider when trying to implement change in a dinosaur environment. Teach your unicorns to focus on a small change with a big impact. Your biggest dinosaur won't be able to stand up to that asteroid. Never forget: the business value of your project matters.

A Small Test Project

Want a small project to surface your in-house unicorns? Evaluate your applications for open source components with known vulnerabilities. You'll know immediately who gets it and who doesn't. Dinosaurs won't understand it. Unicorns will have a "holy shit!" moment and you'll be on your way to your first cultural transformation.

As always comments and feedback appreciated.