Improved collaboration between Development, Security and IT operations is at the heart of DevSecOps. When done right, this enables teams to remove silos to build, test, and deploy secure software faster, making it possible to deliver accelerated innovation for their customers.

In Southeast Asia, DevOps is gaining ground, with Singapore leading the region in its maturity and appetite for disruption as more and more companies are waking up to disruptive technologies and joining the digital transformation. Leading organisations in the region such as ride-hailing and transportation platform Grab have adopted DevOps from its early days to fast track their response to customers’ needs and build competitive advantage. 

GitLab’s fourth annual DevSecOps survey revealed that globally, over 25% of companies are in the DevOps “sweet spot” of three to five years of practice. And another 37% are well on their way, with between one and three years under their belts.

Getting DevOps to become successful and deliver meaningful impact to the business is a continuous journey. While a high-performing DevOps team may look slightly different from one organisation to the other, there are four universal factors to address when looking to build an effective DevOps team.

Breakdown existing silos

Traditionally, Dev and Ops have been completely separate. Both teams work in their bubbles and lack visibility into the workflow of the other team. This complete separation lacks collaboration, visibility, and understanding – vital components of what effective DevOps should be. 

Some organisations deploy the DevOps middleman team structure. In this model, there are still separate Dev and Ops teams, but there is now a “DevOps” team that sits between, as a facilitator of sorts. This is not necessarily a bad thing and can serve as a temporary solution with the goal being to make Dev and Ops more cohesive in the future.

Find out why GitLab is making a push into Southeast Asia.

Another scenario has Ops as standalone while Dev and DevOps are melded together. Organisations like this still see Ops as something that supports the initiatives for software development, not something with value in itself. Organisations like this suffer from basic operational mistakes and could be much more successful if they understand the value Ops brings to the table.

GitLab’s survey found that the lines are blurring between developers and operations teams as 35% of developers say they define and or create the infrastructure their app runs on and 14% actually monitor and respond to that infrastructure – a role traditionally held by operations. 

Get security and operations involved 

There also continues to be a clear disconnect between developers and security teams, with uncertainty about who should be responsible for security efforts. GitLab’s survey found more than 25% of developers reported feeling solely responsible for security. 

In the new world, silos between these teams and responsibilities can’t be tolerated anymore with security increasingly built into the development process at an earlier stage.  

What Ops brings to the software development life cycle (SDLC) is reliability, performance, and stability. Operations need to be fully aligned with the goals of the business, and not viewed as configuring servers and assisting the development (and security) teams with their agenda.

Devs can help the production environment by using their skills to automate processes, and true DevSecOps plays to the strengths of each. 

DevSecOps does not mean that developers manage everything security and production related. To achieve successful DevOps transformation, teams need to improve collaboration and encourage rapid, continuous learning and improvement across different functions. For example providing the capabilities in a single app for developers to incorporate security scans, and remediate vulnerabilities, as they code (shift-left), helps free-up time for security teams to focus on their critical security priorities, yet also ensure improved code quality and faster releases.

Lead the change

In our regular conversations with large Southeast Asian organisations, many IT leaders concurred, acknowledging that a key step in their transitions is understanding what barriers stand between different teams. 

The secret to overcoming the challenges of cultural change related to DevSecOps implementations can be found in the way leaders lead and manage the change.

Change isn’t easy even the most ideal scenarios, let alone organisations that aren’t communicating as well in the first place. Some of the biggest predictors of failure are resistance to change, low readiness for change and poor employee engagement.

Leadership has a direct influence on how team members respond to DevOps changes in processes, technology, roles, and mindsets.

In order to set your DevSecOps team up for success, leaders need to drive the change based on the mission. Connecting goals and objectives to how these changes will impact and enable your specific mission (e.g., getting a capability out faster, security, scalability, etc.). 

An effective cultural change requires leadership to not just provide goals and objectives, but to paint a picture that helps the teams see “why” enabling an environment for better collaboration and improve their engagement and experience. 

Mind the knowledge gaps 

It’s important to analyse how equipped your team is with the skills and resources to change the DevSecOps structure. What would you need today to create a more efficient DevSecOps team structure? 

Organisations have embraced new structures in order to achieve certain outcomes, and they understand the link between organisational structure and the software they create.

Microservices and containers enable a DevSecOps model that iterates quickly and offers more autonomy within certain groups. The architecture of the code environment has a large effect on how teams work together.

For example, Grab’s DevOps approach is centred on automation. Development teams own their services and the ability for devs to work independently has reduced the volume of cross-team communications needed and allowing work to be completed faster.

The findings from GitLab’s survey indicate that automation is on the move, with almost 40% of operations team members saying their development lifecycle is “mostly” automated.

A team structure that facilitates collaboration and visibility between the Dev, Sec and Ops teams, as well as tools that automate processes, are the hallmarks of an ideal DevOps lifecycle. 

Most teams use this opportunity to “re-mission” or “rebrand” their workforce, leveraging team members’ skillsets in fresh, new areas, which leads some internal critics to become strong champions for your changes because of what they learn. These champions then continue to advance the transformation as they contribute their experience and learnings to influence processes and policies in a thoughtful, less risky manner than outside technologists or those without hands-on experience ever could. 

The ideal DevSecOps team structure is the one that lets teams work together effectively and removes the barriers between code and production. It should not be we versus them – it should be us. As SEA companies turn to DevSecOps to transform rapidly and remain competitive, communicating as one collaborative team will inevitably build a cohesive structure that operates in much the same way.

Contributed by Anthony McMahon, GitLab’s APAC regional director

About the author

Anthony McMahon is GitLab’s APAC regional director with over 18 years’ experience in the technology industry in Asia, previously at SAP and HP.  GitLab was recently cited as a Strong Performer in the Forrester Continuous Delivery and Release Automation (CDRA) report for Q2 2020.