Congratulations: You’re moving to a DevSecOps model for all or part of your organization. You’ve done it! You’ve worked out your processes, you’ve found the right tools, and finally all you have to do is to convince people to be involved. Easy. Right?
As it turns out, not everyone in your organization may be as excited about the culture change as you. Not everyone likes to change. DevSecOps will bring lots of it—how you work, what you do, how you interact with other people in the team, and beyond.
Let’s break down five types of people who may push back against a move to DevSecOps. However, keep in mind that you may not be able to move everybody along. There may be good reasons why people don’t want to change what they do—what they do at the moment may work pretty well, both for them and for the organization.
5 Types of People or Roles that Might Give You Push Back:
Not Invented Here
“Been there, done that.” We’ve all heard this. If your management has decided that a move to DevSecOps should be undertaken—even if the existing practices have been working—there’s probably been a realization that things could be more efficient, faster, and more secure.
“To win these folks over, show how the new idea makes the system and their ability to influence it better. There is a bit of a leap of faith, but keeping an eye on the price (the business value) and enabling them to deliver it in a slightly different yet more transparent way is what truly helps move this type along.” — Matt Takane, Agile coach, Red Hat Open Innovation Labs
People who have gained a level of experience in a particular area or domain and feel threatened by new processes. They often feel they are giving up control or diluting their expertise.
It’s important to stress they’re not diminishing expertise, but rather applying it to a broader set of processes. For example, testing experts need to explain to developers and operations people how testing methodologies can be exposed in their areas.
Stuck in the Middle
Middle managers are often stuck trying to manage their operations, preventing them from seeing the big picture when it comes to change. They will mostly likely accept something once it has been tested and proven and has reliable people backing it.
To help this type, “The biggest thing is balance. You have to balance your wants and desires with your manager’s and that of the organization as well. Coaches, influencers, and friends help here, and so does time management. Start small; you don’t eat an entire meal in one bite.” — Chris Short, principal product manager, Red Hat Ansible
Burned by the Past
These people, who have had bad experiences or wrong incentives from the organization, have either been through too many reorganizations or think DevSecOps is another fad.
Perhaps they put a lot of effort on the last agile transformation, but the organization only sent them to Scrum training, so no additional benefits were realized. Other people might be afraid of losing their power or jobs.
“When you can prove things like decreased lead time, more frequent and successful deployments, faster feedback, etc. then the naysaying eventually stops and whoever still doesn’t agree will likely leave. And that’s OK.” — Jared Ladner, Chief Architect, Geocent
The Careful CIO
You’ve likely met this person. Their fiefdom is crumbling, they’ve been burned by previous incidents, or they’ve been mandated to adopt and are playing catch-up.
The good news: It’s not too late. Show them what is likely an easier on-ramp thanks to maturity. Also, remind them that playing catch-up is possible, but there has to be a real concerted effort with headcount and funding. Look across the agency and organization for help and advice. Your problems probably aren’t as isolated as you think they are.
As you progress your organization forward, it’s worth keeping in mind that a general good for all does not always translate into a positive change for every individual. The most important point to remember is that when people get defensive, it is generally because they feel threatened. In all these cases we’ve discussed, change can be threatening.
Just remember the old question: “How do you eat an elephant?” One bite at a time. Take change one step at a time. Execute, accomplish, and move to the next step.