DevSecOps - Culture

Should I quit my job?

It’s day one of DevSecCon Seattle and Tanya Janca has just wrapped up her Keynote “Security is everybody’s job”. Tanya asks for questions and the first question is: “I don’t feel like my company takes security seriously, should I quit my job?”. Tanya’s answer to the question was: “Yeah, quit your job. There’s plenty of job openings out there. Why stay there?”

Wait, what? I thought Tanya was a DevSecOps champion. Is that the DevSecOps or plain old DevOps way? Are we supposed to grab our toys and go home at the first sign of trouble? Ok, let’s give Tanya a break. It’s not easy shooting from the hip when you’ve got a room full of people staring at you.

Maybe I didn’t react appropriately either, after all, I got accused of “man-splaining” (by the guy who asked the question) after interjecting with a comment about knowing your culture before expecting change. It came out much less elegantly and references to Westrum were met with blank stares.

This question, should I quit, is the essence of blue team struggles. Most people are drawn to the red team side of security, it’s fun, and it’s cool to tell your friends you’re a “penetration tester”. Eventually you’ll figure out all the red team work is pointless, if there’s no blue team to help get it fixed. Finding vulnerabilities is the easy part. The hard part of security is convincing an organization, awash in problems, to pull resources away from other problems, and focus resources on this security problem you’ve just uncovered. This is the world of ilities.

Ilities are all the problems you need to solve after you’ve solved the first problem. The most common ilities are: Usability, Maintainability, Scalability, Availability, Extensibility, Security, and Portability. Security is just one of those things, and it doesn’t even have “ility” in name. Distill ilities further and we’re talking about the second order need of quality. First order needs are features that bring customers in, things that solve their problems. Second order needs are things that don’t cause more problems for customers after they’ve chosen our first order solution. Quality falls into the second order bucket.

The good news is most mature organizations have processes in place to manage quality. You shouldn’t have to re-invent the wheel when there’s a process in place, you should be jumping on the bandwagon. Heavy emphasis on “mature” in the previous statement. If you’re in a startup there’s probably little to no process for managing quality, so how do you establish it?

Need to know what levers to pull? It starts with knowing what type of culture you’re in. Lucky for you Westrum did the hard work and figured out there’s only 3 types of culture you can be in: Pathological, Bureaucratic, and Generative. Lucky for you they’re easy to identify based on the messenger test.

I know what you’re thinking: Abandon ship if you’re in a Pathological or Bureaucratic organization; Problem is, you’re going to be abandoning many ships with that mentality. The funny thing about these culture types is it’s rare for an entire organization to fall entirely into one category. It’s possible you’re working on a Pathological team, within a Bureaucratic department, that’s within a Generative organization. You’ll have to learn what levers to pull at each level.

In Pathological cultures the messenger is shot. You’ll have to work on optics to avoid being seen as the messenger. Optics is the currency of Pathological cultures, it’s all about saving face, and that need to save face is the biggest lever you can pull. Never imply mistakes were made, focus on the positive outcomes, the “wins” that will come with doing the right thing.

Bureaucratic organizations aren’t bad things, they’re just really slow. Understanding the rules/laws of the bureaucracy is the key to achieving your desired outcome. The rules are often heavily documented and strict, you just need to figure out what rule to apply. You’ll also need to be patient.

Generative organizations are learning organizations who’re constantly looking to learn and improve. Generative organizations understand that if you don’t do anything about it, the urgent drives out the important. They’re the best at managing quality, and open to feedback from blue teams. Careful what you wish for though, they move fast. Can you keep up? Are you generative?