Introducing DevOps to the US Government – Part 1

Over the last four years, Redgate’s annual State of Database DevOps Report has provided valuable insights into how and why DevOps is being adopted, along with the drivers for introducing it for both application and database development, and the obstacles businesses and organizations face.

Importantly, with responses from developers, database specialists and IT leadership around the globe across all industry verticals, from small companies to big enterprises, it also highlights the varying challenges sector by sector.

In the latest report, for example, 79% of respondents in US Financial Services have adopted DevOps in some form, along with 75% of IT & Tech respondents, but this falls to 59% in the Government sector.

Similarly, only 11% of respondents had no plans to adopt DevOps within two years, but this rises to 20% for Government sector respondents.

When it comes to database development, 65% of private sector respondents say they will have a fully automated process in place for deploying database changes within one year, compared to 41% of those in the US Government sector.

What’s fascinating here is that despite those disparities, the obstacles to adoption, like a disruption to workflows and a lack of appropriate skills, are the same for all sectors in the Report, as are the main drivers for including the database in DevOps. Every business and organization – including respondents from the US Government sector – wants to increase the speed of delivery, free up developer time, and encourage better collaboration. By moving away from the waterfall method, they can release faster, more reliably, and respond to customer feedback sooner.

Every industry sector has different challenges when it comes to adopting DevOps. In Financial Services, for example, new clicks-and-mortar FinTech companies are challenging the traditional bricks-and-mortar players with innovative services and solutions. In Healthcare, privacy has always been an important factor that has to be accounted for in every digital transformation initiative.

The Government sector is no different and the three major challenges are:

  • Fully embracing a DevOps culture
  • Coping with cybersecurity threats
  • Addressing data privacy concerns

Fully embracing a DevOps culture

In order to adopt DevOps, organizations need to welcome the openness it requires, change the way they function, encourage experimentation and innovation, and work across departmental silos. It’s not as easy as it sounds because the culture that exists within organizations can be opposed to the collaboration and cooperation that DevOps thrives on.

The best way to illustrate it is the Three Cultures Model developed by American sociologist, Ron Westrum, following research into the belief that organizational cultures shape many facets of performance. He identified three patterns, created and shaped by the focus of management and the response of the workforce to that focus.

In the model, organizations can have a Pathological, Bureaucratic or Generative culture. Pathological cultures are driven by one person or group and have a ‘do-it-this-way-or-leave’ approach. Bureaucratic cultures are rule-oriented and novelty is seen as a problem. Generative cultures are all about performance and getting things done in the best way by cooperating and working together.

As might be imagined, Pathological and Bureaucratic cultures aren’t a good fit for DevOps. By its very nature, DevOps requires cooperation and collaboration, and the kind of Generative culture that welcomes change.

Generative cultures also go beyond DevOps and are proven to deliver wider benefits, attracting talent, winning customers and creating a virtuous cycle of innovation. They’re seen widely in companies like Google, Amazon and Facebook, but Government sector organizations are more likely to have a Bureaucratic culture, where change is slow and rule-based.

This kind of thinking is supported by the annual Best Places to Work in the Federal Government rankings, based on the views of around 883,000 federal employees, its value is best seen when it’s compared to private sector surveys from consulting firm Mercer | Sirota, based on nearly 6.5 million responses from businesses in every industry sector.

In the 2019 surveys, the private sector employee engagement score was 77.0 out of 100 – 15.3 points higher than the federal government sector. On nearly every survey question, from having sufficient resources to get their job done to feeling encouraged to come up with better ways of working, and from their talents being used well to being involved in decisions that affect their work, federal employees are disadvantaged compared to their private sector counterparts. Yet those are the kind of factors that would be expected – and promoted – in a DevOps culture.

Coping with cybersecurity threats

In many ways, it’s perhaps no surprise that cultural issues are taking a back seat in federal government. The top priority for CIOs in the sector for years has been, and remains, cybersecurity. This is reflected in the annual survey of state CIOs conducted by the National Association of State Chief Information Officers (NASCIO) to identify their top ten policy and technology priorities for the coming year.

Cybersecurity and Risk Management has consistently been top of the list, and the major concerns for 2020 in the latest survey are governance, budget and resource requirements, security frameworks, and data protection.

These concerns match findings from research like the 2019 Data Breach Investigations Report from Verizon. Based on analysis of 41,686 security incidents, of which 2,013 were confirmed data breaches, it doesn’t make good reading for the Government sector. While the report revealed that cyber-espionage accounted for 42% of breaches in the Public sector, which isn’t surprising, other surprises did emerge:

  • 16% of the total breaches involved Public sector entities, the highest of any sector, ahead of Healthcare and Finance, at 15% and 10% respectively
  • While 75% of breaches in the Public sector were perpetrated by outsiders, 30% involved internal actors and 1% involved partners (6% featured multiple parties and hence the apparent disparity in the percentages)
  • Nearly a third of breaches in the Public sector were caused by miscellaneous errors (18%) or privilege misuse (12%)
  • Common errors were the mis-delivery of sensitive data, publishing data to a server accessible by all site viewers, and misconfiguring servers to allow for unwanted access
  • The top three varieties of misuse were privilege abuse, data mishandling, and unapproved workarounds
  • Most worrying, across all sectors, 56% of breaches took months – or longer – to discover, but breaches in the Public sector were 2.5 times more likely to be undiscovered for years

It’s the internal nature of breaches and the length of time before they’re uncovered that’s most concerning. The use of solutions like monitoring, multi-factor authentication and malware defence capabilities is well understood in defending against external breaches, but errors, privilege abuse and data mishandling are much harder to plan for and mitigate against.

Addressing data privacy concerns

Cybersecurity threats are only one side of the coin. The flipside is the risks this creates to the personal privacy of the millions of people who interact with federal government agencies each and every day. The Federal Edition of the authoritative 2019 Thales Data Threat Report, The Changing Face of Data Security in the Federal Government, sums it up neatly in its Executive Summary:

“While Digital Transformation is driving benefits to agencies and constituents alike, it is introducing new difficulties for information security professionals, including the potential to put government secrets and constituents’ sensitive data at risk.”

The Report reveals that 60% of Federal Government respondents state that they have been breached, more than half of those breaches occurring in the past year. More worrying, perhaps, 82% of respondents also acknowledge they are vulnerable to data security threats, with 42% calling themselves ‘very’ or ‘extremely’ vulnerable. This compares to 37% of international government respondents and 34% of global respondents from every sector.

This has prompted a change in mindset in federal government. Whereas network security used to be the main focus, with the understanding that this would also protect the organization’s data, application and data security are now regarded as just as important. 32% of the focus in the Federal sector is now on data security, which compares favorably with the retail sector at 35% and healthcare at 36%.


Like every sector, the US Government has its own challenges when trying to introduce DevOps. Conversely, perhaps, the bureaucratic culture we talked about is the same culture that has already put in place the frameworks necessary to adopt DevOps. I’ll talk more about that in the second post in this series next week.

If you’d like to find out more, you can also download our whitepaper, How DevOps will transform the US Government.


Tools in this post