Tech Career Insights: Spotlight on DevSecOps
Gary Tamber is an accomplished Engineering Leader who has led teams effectively at various large corporations to transform the software testing and delivery process using modern tools & practices such as Agile, DevOps (CI/CD) and Cloud with Security in mind.
DevSecOps – maybe you’re familiar, or maybe you can only take a hazy guess at what this blend of words actually stands for. Either way, we’re breaking down the jargon and delving into this wildly in-demand force that’s shaping the future of software.We spoke with Gary Tamber, P.Eng. CISM, Director of DevSecOps at ADP, about his journey in the industry, the current state of DevSecOps, and why these ground-breaking methodologies are essential to the success of modern businesses.
To begin, for those who aren’t familiar with DevOps or DevSecOps, can you give us a brief rundown of what these methodologies are and how they’re different?
DevSecOps, short for Development, Security, and Operations, is an approach to software development that integrates security practices within the traditional DevOps process. DevOps itself is a methodology that emphasizes the collaboration between software developers and IT operations teams to accelerate the software development lifecycle, improve efficiency, and deliver high-quality software products.In DevSecOps, security is integrated from the beginning, rather than being bolted on as an afterthought. The goal is to create a culture where security becomes everyone's responsibility, not just the security team's. This approach helps in identifying and addressing security vulnerabilities and threats early in the development process, therefore reducing the risk of security breaches and minimizing its impacts to the business.Like the name suggests, it's sort of a fusion of dev, sec and ops that is achieved by removing barriers and integrating it so tightly that it's morphed into one process.
How did you get into DevSecOps? What’s your background?
I have an engineering degree from the Schulich School of Engineering, University of Calgary and have been working in the IT industry for almost 20 years, taking on various roles ranging from development and testing to leadership positions.About 8 or 9 years ago, I switched to working within DevOps, which was emerging at the time. As new technology was springing up, organizations began to shift to cloud infrastructure and many automation tools started becoming open sourced. These changes allowed companies to use new tools to code more quickly and deliver software products to their customers at a rapid pace that hadn’t been possible before.As the cloud and open-source frameworks evolved, of course new cybersecurity threats emerged as well. This led me to focus on DevSecOps, where development, security, and operations are seamlessly integrated into the software development life cycle.
Can you tell us more about the relationship between DevOps and cloud infrastructure? When our clients are seeking to fill DevOps roles, they almost always require cloud experience.
Well DevOps is separate from cloud computing. You can do DevOps without hosting on the cloud. DevOps is all about how quickly code can go from development to production, whether it's hosted on-premises or in the cloud.DevOps and cloud go together like a peanut butter and jam sandwich; technically you can eat them on their own, but together they’re twice as good! Cloud computing provides a convenient and scalable solution for hosting applications and services, which complements the speed and efficiency provided by the DevOps process. So, DevOps and cloud combined can get your product in the market faster than ever possible before.Also, leveraging cloud infrastructure means organizations can avoid on-premises data centers, which are daunting to set up, especially for startups and mid-sized companies. It requires a secure physical building, computer hardware, networking equipment, and a team of engineers to manage the operations.With cloud providers, companies can simply rent out a portion of an existing data center as needed, scaling their resources up or down depending on their requirements. This flexibility is especially advantageous for businesses whose primary focus is not on technology, such as financial institutions or healthcare. By using cloud services, these organizations can reduce their technology footprint, maintain their existing data centers, and rent additional resources as needed, resulting in cost savings and increased operational efficiency.
Where do you see DevOps or DevSecOps functions evolving over the next 5 years?
DevSecOps is still relatively new and just getting started. I see this space exploding over the next decade. As more organizations recognize the importance of integrating security into their development processes, the demand for skilled professionals will only increase. DevSecOps is the natural evolution of DevOps. It’s a huge area of opportunity.
With a skills shortage in DevOps, do you find it easier to hire a cybersecurity developer and teach them DevOps or hire a DevOps resource and help them learn security?
It's hard to find both talents, so DevSecOps professionals are even more rare. It’s just not common for people to have experience and exposure to both development and operations. Someone who has worked in development, knows operations, and does security like a pro? It’s like finding a unicorn. I think the best bet is to hire developers or operations professionals and then train them in the other areas, as well as in cybersecurity.
Does it matter if a candidate has business experience when hiring for DevSecOps roles?
It depends on the level of the role. In leadership positions, understanding the business across all departments is vital. But for more technical roles, the focus can be on development and operations aspects without the need for extensive business knowledge.
What advice would you give people looking to transition into DevSecOps?
First off, it’s crucial to develop a growth mindset and be open to continuous learning. The DevSecOps landscape is constantly evolving, and being adaptable is vital for long-term success.I’d recommend starting by building a strong foundation in development, operations, and security. These three pillars are essential. It's not a quick process or simple online course, so be prepared to invest time in learning and growing your skillsets. Do whatever you can to gain hands-on experience in each domain, whether that’s working on real-world projects, internships, co-ops, or even contributing to open-source projects.I would also say, don’t exaggerate your experience on your resume. There are lots of opportunities for junior professionals, but if you’re saying you have years of experience without having the depth of knowledge, you are not going to get your foot in the door. Better strategy is to be honest and share your genuine curiosity to learn and grow, if you lack some experience. I would rather hire someone who knows less but has the passion to learn, over someone who might know a lot but lacks the desire to grow.Lastly, don't be afraid to network and learn from others in the industry. Attend conferences, webinars and meetups, do your research, stay curious on the latest trends in technology and their implications on businesses.
For those considering a career in DevSecOps, now is an exciting time to enter the field and help shape the future of secure software development. Are you interested in exploring new possibilities? Get in touch and let’s chat.