Overview This organization is a large financial services firm that is a leading provider of…
Case Study
Telecom Pioneer Prioritizes DevSecOps Following an Agile Transformation
Company Details
Industry: Internet, Telecommunications, Mobile
Company Size: 105,000 employees across 21 countries; over 300 million customers
Location: Headquartered in the UK
Products: Fixed and mobile telephony, Broadband, Digital TV, IPTV, IoT
Cprime Services:
Executive Summary
The company has focused on cyber security as a top priority for many years. However, as they pursued an enterprise-wide Agile transformation, it became clear that security was not being addressed as early in the development process as it could be. In other words, the company’s development teams were working toward a DevOps structure, but they needed to establish a DevSecOps mindset instead.
Laying the foundation
The company’s adherence to leading industry security standards above and beyond local regulation is evidence of its focus on security. They have an international team of over 800 employees focused on constantly monitoring, protecting, and defending their systems and their customers’ data.
Once the company identified the need for DevSecOps, the Cyber Security team reached out to the coaches and consultants assisting with their ongoing Agile transformation to discuss how to best pursue DevSecOps. The Cyber team leads the organization’s detection, response, and recovery efforts. Thus, they provided an excellent environment for a pilot program that would work for scaling to other teams.
One executive sponsor from the company noted, “As we got further along in the Agile transformation, we noticed a lot of teams implementing DevOps in various ways and at different levels of maturity. What was consistent, though, was that they were only considering security at the very end of the process. So, a batch of code might have gone through the entire planning, development and deployment phases, but then it would need to go through the security team’s testing process. This tended to create bottlenecks and rework.”
Security is such an integral part of what the company does. But the fact that it was last in line just didn’t make sense. It became clear that the security element needed to move earlier in the workflow. Without this, the teams wouldn’t be able to enjoy the benefits that DevOps should have been providing for them.
The executive sponsor wanted to build on the foundation of practice that was already forming as the Agile transformation progressed. So she turned to Cprime Lean Agile Coach Farooq Mohammed to help establish a DevSecOps mindset in the Cyber teams.
Steps to success
“The first thing we needed,” the executive sponsor said, “was for each team to include at least one person who was knowledgeable about and dedicated to security. We called these individuals Security Champions, and we worked hard to recruit them throughout the Cyber teams.
The goal here was to ensure that they consider security concerns as early in the development process as possible. DevOps facilitates collaboration between development and operations disciplines to speed the development process and improve quality. Including cyber security considerations is a natural component to include. That way, they could identify and address security concerns earlier in the process.
Likewise, automation in the security testing and scanning process allows for robust security monitoring. And, it mitigates the bottlenecks created when waiting until a batch is ready for release to scan it for security issues.
These new Security Champions met together routinely to share ideas and identify best practices. They also worked diligently to get buy-in from their teams and stakeholders in leadership roles. This proved invaluable as the program scaled.
The executive sponsor recalled, “One of the tools we used was a monthly ‘Hack-a-thon’ where we encouraged participants to try to break our code and help us identify security vulnerabilities. Then, those who participated and showed a real passion for the work became our new Security Champions. This ensured security remained top-of-mind, and we knew we had the right people embedded in teams to support what we were trying to achieve with DevSecOps.”
A security-focused development culture
As the practice matured, the company created a knowledge repository for security-related information. They also included a means by which anyone could report potential issues.
Mohammed noted, “After a while, we began hearing from other departments about potential security issues they had identified. That’s when we knew we’d succeeded in creating a security-focused development culture.”
Outcomes
The automated tools collecting data for analysis are still relatively newly installed across the company’s Cyber team workflows. This means that concrete metrics are not yet available. However, anecdotal evidence already shows a clear positive impact of this move toward DevSecOps.
Knowledge sharing increased dramatically, and everyone was working together.
“We’ve established a more concrete learning path,” the executive sponsor said, “so members of the teams who are interested in upskilling and diving deeper into security have the tools and opportunities they need to do so.”
The executive sponsor also noted that embedding Security Champions within the teams significantly smoothed the deployment and release processes. As more automated security testing and monitoring are implemented in the coming months, the speed and efficiency of the development process will only improve.
If you would like similar results for your organization, reach out to a Cprime DevSecOps expert.
Want to share with a colleague? Download the PDFFeatured Team Members
Farooq Mohammed
Agile Coach
Farooq is a certified Advanced SAFe Scrum Master & Agile Coach with a history of working in the IT industry and Retail. He works to enable, empower, and create collaborative teams to deliver early and regular business value, aligned to their stakeholders' strategic goals. He has more than six years of experience working with leadership to gradually introduce a culture of self-improvement in their organizations.