Introducing DevOps to the US Government – Part 1

Over the last five years, Redgate’s annual State of Database DevOps Report has provided valuable insights into how and why DevOps is being adopted, along with the drivers for introducing it for both application and database development, and the obstacles businesses and organizations face.

Importantly, with responses from developers, database specialists and IT leadership around the globe across all industry verticals, from small companies to big enterprises, it also highlights the varying challenges sector by sector.

In the latest report, for example, 85% of Technology respondents have adopted DevOps in some form, along with 81% of those in Financial Services, but this falls to 65% in the Government sector.

When it comes to database development, 46% of respondents across all sectors have continuous delivery processes in place for some or all of their database changes compared to 36% of those in the Government sector.

Similarly, across all common DevOps practices like version control and the automation of builds, unit tests and deployments, the Government sector lags behind.

What’s fascinating here is that despite those disparities, the obstacles to adoption, like a disruption to workflows and a lack of appropriate skills, are the same for all sectors in the Report, as are the main drivers for including the database in DevOps. Every business and organization – including respondents from the US Government sector – wants to increase the speed of delivery, free up developer time, and encourage better collaboration. By moving away from the waterfall method, they can release faster, more reliably, and respond to customer feedback sooner.

Every industry sector has different challenges when it comes to adopting DevOps. In Financial Services, for example, new clicks-and-mortar FinTech companies are challenging the traditional bricks-and-mortar players with innovative services and solutions. In Healthcare, privacy has always been an important factor that has to be accounted for in every digital transformation initiative.

The Government sector is no different and the three major challenges are:

  • Fully embracing a DevOps culture
  • Coping with cybersecurity threats
  • Addressing data privacy concerns

Fully embracing a DevOps culture

In order to adopt DevOps, organizations need to welcome the openness it requires, change the way they function, encourage experimentation and innovation, and work across departmental silos. It’s not as easy as it sounds because the culture that exists within organizations can be opposed to the collaboration and cooperation that DevOps thrives on.

The best way to illustrate it is the Three Cultures Model developed by American sociologist, Ron Westrum, following research into the belief that organizational cultures shape many facets of performance. He identified three patterns, created and encouraged by the focus of management and the response of the workforce to that focus.

In the model, organizations can have a Pathological, Bureaucratic or Generative culture. Pathological cultures are driven by one person or group and have a ‘do-it-this-way-or-leave’ approach. Bureaucratic cultures are rule-oriented and novelty is seen as a problem. Generative cultures are all about performance and getting things done in the best way by cooperating and working together.

As might be imagined, Pathological and Bureaucratic cultures aren’t a good fit for DevOps. By its very nature, DevOps requires cooperation and collaboration, and the kind of Generative culture that welcomes change.

Generative cultures also go beyond DevOps and are proven to deliver wider benefits, attracting talent, winning customers and creating a virtuous cycle of innovation. They’re seen widely in companies like Google, Amazon and Facebook, whereas Government sector organizations are more likely to have a Bureaucratic culture, where change is slower and rule-based.

Attitudes are shifting, however, with The Government Trends 2021 report from Deloitte finding that 78% of US government executives believe the use of agile and DevOps methodologies is having a significant positive impact on their organization.

Coping with cybersecurity threats

In many ways, it’s perhaps no surprise that cultural issues are taking a back seat in federal government. The top priority for CIOs in the sector for years has been, and remains, cybersecurity. This is reflected in the annual survey of state CIOs conducted by the National Association of State Chief Information Officers (NASCIO) to identify their top ten policy and technology priorities for the coming year.

Cybersecurity and Risk Management has consistently been top of the list and, alongside it, the major concerns for 2022 in the latest survey are improving the digital experience, strengthening broadband connectivity, and implementing cloud services.

The continuing dominance of cybersecurity matches findings in the 2021 Annual Data Breach Report from the Identity Theft Resource Center (ITRC), which found that the number of data compromises in 2021 was up more than 68% compared to 2020, setting a new record.

This matches similar findings in the Federal Edition of the Thales 2021 Data Threat Report, in which 45% of federal respondents reported experiencing a data breach at some point, with 47% of those stating it had occurred in the last 12 months. 47% also reported an increase in the volume, severity and/or scope of cyberattacks, so this is an ongoing – and growing – issue.

Addressing data privacy concerns

Cybersecurity threats are only one side of the coin. The flipside is the risks this creates to the personal privacy of the millions of people who interact with federal government agencies each and every day. Perhaps surprisingly, the usual suspects like external hackers are not the biggest risk here, as shown in the Thales Report.

When asked what the greatest risks to their environments were, 35% of respondents ranked malicious insiders as the number one risk. This was followed by human error at 31%, while external attackers and nation states were 22% and 12% respectively.

This revelation, that two thirds of the risk comes from inside actors and people making mistakes is worrying, particularly when the Thales Report also reveals how data is stored, classified and encrypted.

Only 28% of federal respondents had a full knowledge of where their data is stored, just 33% claimed to be able to fully classify their data, and only 33% were able to avoid a breach notification process because stolen or leaked data was encrypted.

This has prompted a change in mindset in federal government. Whereas network and perimeter security used to be the main focus, with the understanding that this would also  protect the organization’s data, application and data security are now regarded as just as important.

Summary

Like every sector, the US Government has its own challenges when trying to introduce DevOps. Conversely, perhaps, the bureaucratic culture we talked about is the same culture that has already put in place the frameworks necessary to adopt DevOps. I’ll talk more about that in the second post in this series next week.

If you’d like to find out more, you can also download our whitepaper, How DevOps will transform the US Government.

For more information about how Redgate solutions can help you keep sensitive data protected without slowing down development, visit our dedicated Federal Government solution pages online.