DevOps State of Mind Episode 8: What do DevSecOps and Formula 1 have in common?
LogDNA is now Mezmo but the DevOps State of Mind podcast you know and love is here to stay.
Liesse Jones: Josh Minthorne is the co-founder and global technology director of Axcelinno, an IT technology consultancy and professional services company that helps organizations define and implement their DevSecOps adoption and cloud migration. Today, we're talking about why the security landscape has made companies hesitant to move to the cloud and what they can do to migrate with confidence.
Welcome to DevOps State of Mind, a podcast where we dive deep into the DevOps culture and chat with friends from small startups and large enterprises about what DevOps looks like in their organizations. I'm Liesse from LogDNA. Join us as we get into a DevOps state of mind.
Liesse Jones: Welcome Josh. Excited to have you!
Josh Minthorne: Yes. Thank you. Glad to be here.
Liesse Jones: Awesome. Let's start by telling our audience a little bit about yourself and how you came to be the co-founder of Axcelinno.
Josh Minthorne: My roots started hands-on-keyboard, consulting, writing a lot of code, and I was working with a customer in the home healthcare industry was my first project. We were completely re-platforming an off the shelf product. There was a lot of complexity to it and we were starting from scratch. And through that experience I started to really realize the need for automation. And then throughout my consulting career, I continued to see that and over time I saw at the time it wasn't really called DevOps, but those principles I started to really understand and try to invoke on every project that I was on.
Obviously at that point in time, the number of tools and frameworks that were available pale in comparison to what's available now, but the concepts and the need was still there. And then as I continued throughout my career, I got more and more into parts of the infrastructure. And then also with the proliferation of the cloud. So I've been very hands-on-keyboard for a number of years, and then got together with some previous consultants that I'd worked with at some other companies and we just started to create Axcelinno, which is a combination of accelerating innovation—that's how we have our name. And we focus on really two core things, which is around DevSecOps and cloud. There's a lot of things that go into that and it always depends. We have a number of offerings there, but what we pull from as we saw that there were challenges the customers had typically in these two areas and sometimes they're actually combined quite often with a number of our customers. And so we work with them to understand their challenges, their needs, what they are trying to do. Maybe it's new business capabilities that they want and really help to put together a solution and then help them with that. Whether that's a single solution or implementing DevSecOps or migrating to the cloud or all of these.
Liesse Jones: Awesome. It's really interesting to talk to people on this show because a lot of them have a similar experience to you where they have been in the industry for quite a while, and they saw the need and then DevOps and later DevSecOps kind of became the clear solution on how to solve some of the problems.
I had the complete opposite experience where I entered the tech industry pretty late in the game. And I only had experienced companies working in this kind of DevOps style. And I remember, my older brother who's been in tech for decades, when I had my first job in tech, I went to him the day that I realized not every company was already in the cloud and I was like, “Wait, what? This is a thing?”
And now having had the opportunity to work at LogDNA, where we work with a ton of customers who are still early in their adoption of DevOps and their migration to the cloud, it's interesting just to see how the different perspectives influence how you go after the problem.
Josh Minthorne: They do. You know, it's funny you say that you’re seeing that there's all these customers that aren't in the cloud. To put that into perspective, they estimate that right now, roughly only 3% of all available workloads in the world are actually in the cloud.
Liesse Jones: Wow. That's insane.
Josh Minthorne: Yeah. Especially when we think about how much is currently in the cloud, but again, it only represents such a small portion of what's out there and what's available and that number is going to just continue to grow.
The problems Axcelinno solves
Liesse Jones: Amazing. So people definitely still need a ton of help. What are some of those specific problems that you guys solve on the day to day for customers?
Josh Minthorne: Great question. I'm going to really answer that in two different ways. One from a DevSecOps perspective, one from a cloud perspective, and they really overlap.
From the DevSecOps perspective we see customers that are starting their journey, or have just started their journey around DevOps and maybe DevSecOps and they're trying to figure out where do they go, where do they start? What's a strategy look like and how do they implement it? What are going to be some of the challenges? How do they overcome that? And that's primarily what we see. So we'll help customers, we'll do an assessment of their current maturity and based on that we can identify a number of things. One of the key critical things that we identify are gaps, and those gaps can be around tools and platforms. Sometimes they don't have tools or platforms. Sometimes they have more than one tool or platform. Different groups using different things and that causes operational challenges and things like that. And then one is around skillset. You can understand the concepts and the methodology of DevSecOps, but as I like to say, just because you can read a cookbook doesn't make you a chef. And I don't mean that in a negative way. What I mean by that is that it takes repetition and practice and experience and building that muscle memory and just facing different scenarios in situations because DevOps is not a tool. It's not a platform. And it's methodologies and core practices and principles. So how companies do it is going to be a little bit different. Again, there's some fundamentals to follow but it's not one size fits all. And so that's how we really help with customers there.
And the other thing is with that experience and knowledge gap, as we all know, there's a bit of a shortage of a number of resources and skills within the labor market. We can help fill that. And we've helped customers where they're trying to build out a team and maybe what they do is they bring on newer resources that maybe are a little bit on the junior side, or don't have as much experience or there's different experience levels and different types of experience between all the individuals. And so there's differences and what we'll do is we'll help bring them up to speed so that eventually the customer does have that team. And then in other cases, the customer doesn't want to necessarily invest in managing all of that so we'll actually go ahead and provide that for them and they are a consumer of a DevSecOps service, if you will, from us, so we manage everything.
From the cloud perspective, the biggest challenge is, are we going to the right cloud? Have we set things up correctly? Are we operating and running things? Also, how do we even start? What's the strategy? Because you can architect and build everything in the cloud, but all of your traditional applications and everything, how do they get moved? What should be moved? What's the priority? So going through that application rationalization process is really, really important to figure out applications that should be moved. And once they're moved, are there going to be changes, you know, the traditional lift and shift, things like that. Also again, going around the experience the skills—same thing with DevSecOps that applies to the cloud.
And then really overlapping all of it comes to security. One of the biggest things that we see that stops development from moving faster is security. And that's why we really push on DevSecOps now. And then moving to the cloud, one of the big things is the concern from security around being in the cloud and security is sometimes made out to be the bad guy, which I think is an unfair characterization because they're actually trying to understand risk, protect against risk because when something happens, it can have a major impact on a number of facets to a business in terms of revenue, in terms of customer perception and brand awareness, and a number of other things. So again, working through DevSecOps, working through cloud, those are the things that we typically see again with that underlying piece being around security.
Trends in cloud adoption from 2020 to 2022
Liesse Jones: There's been kind of a perfect storm in the last couple of years with the pandemic going on, a ton of breaches, a ton of vulnerabilities that are majorly impacting a ton of industries at the same time. How have you seen that change trends in cloud adoption? Are more people moving to the cloud? Are they more hesitant? Has it made no impact at all?
Josh Minthorne: Yeah. So I think that's a great question. So with the last two years, things have really been turned upside down and I don't know if the pandemic has said, okay, now let's move to the cloud. I think really what it is is that the pandemic has now become an impetus for companies to look at how they're operating. They've now been remote for a long time, and now they're going to maybe a more hybrid model. And because they're looking at that, they start to look at other things and they start to say, “Hey, how can we reduce operating costs, but also reach customers, and also be able to have the agility, the flexibility, and the resiliency that that's necessary to maybe now operate in this new world?” I think also certain industries were impacted greatly. And so they started to really have a focus on operational costs. Look at travel and leisure. People weren’t on cruise ships, people weren't flying, people weren't renting cars, all these sorts of things. So these companies had to say, “Oh, wait a minute. You know, internally, we've got to look at how we're operating.” And you might be thinking, well, wait a minute what does that have to do with IT?
I like to think of it as in this day and age just about all companies are actually IT companies that provide some sort of service. Banks are IT companies that provide banking capabilities. Look at Carvana, for instance, there's like one or two people there, but you do all of your shopping online, or you sell your car and you go drop it off and everything is ready. It’s not the traditional way that you used to do things. Technology is really the backbone that's able to provide a number of business capabilities. And I think that's one of the things that is really important.
And one of the things that's been seen, there's been reports that have been done that between 2020 and 2021, when there was a breach, the average cost has increased by 10%. Now, when we look at those breaches and we say, okay, there was a breach that was caused by somebody that was at an office versus a breach that was caused by somebody that was remote there's a major cost difference. In fact, when it's a breach caused by someone working remotely, it's roughly a million dollars more in terms of the cost per breach.
And so that's why I think looking at things saying, “Hey, we gotta move to the cloud,” but also companies are saying “we have to get security under control.” I also think to be quite honest, that when companies are looking at moving to the cloud, it uncovers a number of gaps in security. Not necessarily because security wasn't catching things, but I think it was because a lot of times people work around and find ways to get around security that causes these gaps and potential issues.
Liesse Jones: That's super interesting. Why do you think it's so much more expensive for a breach that happened in a remote environment?
Josh Minthorne: I think because it takes longer to detect and therefore it's available for a longer period of time. And then because people can't, let's say, huddle into a conference room or walk over something. That takes time. And therefore it takes longer to alert people and to mobilize people and get people to start to look at it. And then you go through all the research and everything. It just ends up taking much longer. And I think a lot of times really what's causing that is the distance, the geography now has presented a challenge. And I think that what's important about that is when we think about the cloud and DevSecOps is that the goal there is to start to make it so that you leverage technology so that geography and distance is no longer a factor in terms of being able to identify something and then being able to research, troubleshoot, and resolve as quickly as possible.
The correlation between DevOps and cloud
Liesse Jones: That's awesome. Have you seen a correlation—I have a guess that you're going to say yes to this—a correlation between cloud migration and DevOps adoption? Are people really thinking about these hand-in-hand right now or not necessarily?
Josh Minthorne: Yes, absolutely. What we tend to see is that when someone's going to the cloud, that DevOps is absolutely part of that. And the reason is that they're going to be starting to take advantage of new architectures, cloud-native architectures, they're starting to take advantage of the scalability in some of the other things that are provided by the cloud. And usually that's going to be pushed because you've got development teams that are wanting to take advantage of those things and those development teams are wanting to start to use DevOps. And operational teams too, let's not forget that, because there's infrastructure as code, there's configuration as code, you get into chaos testing and all these sorts of things. So those teams are starting to push it. So that starts to be what pushes to the cloud as well. The other thing is that what we see is when we talk with customers, “Okay, how are you going to run in parallel?” You're going to have applications on prem, you're going to have applications in the cloud, sometimes you’re gonna deploy to both. Well the only way to really do that in an efficient manner and make sure that you're not creating a lot of additional administrative and operational burden is through DevSecOps. You want to be able to automate the deployments in everything else and scalability that goes with that. And so they very much go hand in hand. And I think that you don't have to have DevSecOps to go to the cloud. But I think if you don't and you go into the cloud, it's going to be much more challenging. As the adage goes, the sum is greater than its parts. And obviously the parts here are the cloud and DevSecOps.
Liesse Jones: For those people who aren't doing both, and who are operating in the cloud with what I would consider more of an old school mindset, how do you think that they're going to be able to compete in the next few years? With other people who have changed the way that they think about the style of work and the way that they operate and collaborate.
Josh Minthorne: So what we've seen and what we're, if you will, kind of predicting is that if you don't make the operational changes and you're operating as is, those that have made the changes are going to be able to react to customer demands and wants and needs faster. They're going to react to market changes, right? There's going to be a new entrance into the different markets. There's going to be ones that leave. They're going to be able to adapt there. They're also going to be able to grow easier as well. So if they're focusing on a specific market, let's say here in North America, and they want to go to other regions, if you've got things done in a way [that you’re] leveraging automation and all these other things, you're going to be able to roll that out, and do that, and grow revenue much faster.
And the other companies, yes they can do that, but because they're doing it slower there's the first entrant really starts to have a lot of advantages in terms of gaining market share. And, I would say that we've seen this before from companies that didn't embrace technology compared to companies that did. You know, there's the story of Blockbuster Video and Netflix, I would say that it is very much a parallel. They provided roughly, at the time, the same service but Netflix started to do things differently and then started to really leverage technology as a competitive advantage and look where we are.
Liesse Jones: Yeah, absolutely. I've been meaning to watch that documentary, I think it's on Netflix, actually, “The last blockbuster in America.”
Josh Minthorne: The irony is unbelievable.
Liesse Jones: Oh, it's so good. I like that Netflix takes those types of shots. I find it very hilarious, but I'm sure Blockbuster is not thrilled.
The emphasis on security in DevSecOps
Liesse Jones: So we've touched on this a little bit, but I want to dive deeper into the emphasis on security in DevSecOps and why it's so important to call that out rather than just talking about DevOps, which technically should include security as well. Why do you think it's important to call out security?
Josh Minthorne: So one is we continue to work with customers and in my firsthand experience I saw this as well, is that a lot of times the way it was is that security was seen as an obstacle or a challenge to releasing code and things that have been written. I remember writing code and we had a release weekend and the week before, two weeks before, security would go through and scan and they would find all these issues. Far more issues than could be fixed before the release. And we said, “Hey, We have to release because if we don't, we're not going to have a shot to do this for a month,” or for instance, I worked for some banks and insurance companies, so it was quarterly. So there was a massive window between the next time you could release. It wasn't just, okay, well, we'll do it the next day. And so what would happen is there'd be this horse trading, if you will, of we'll fix some of these things just enough to make security happy so that we can do the release. And it was then, we'll put the rest of these things on the backlog, which becomes technical debt. Well, the thing is, that stuff never really gets fixed because there's other things that start to get put onto the backlog and the priority of addressing new customer issues or adding enhancements always wins out over security. So you start to rinse and repeat because you're starting to add more functionality and doing these other things and security keeps scanning and scanning. And these things just keep getting added.
Now I remember when I was a developer, it was just, “Hey, we understand, we want to fix these things. We want to address these things. We just don't have time. It just doesn't line up.” And so what ends up happening is that security becomes a bottleneck. Well, you can only release and do things as fast as your bottlenecks. And so with security, the goal is with everything with DevOps and DevSecOps, is shift everything left, is to say, let's get security embedded into the fabric and the overall everyday process of writing code and a developer as they're writing code, they could be warned about things that they're using. They check in code and it goes through a scan, right? They get this feedback immediately where they can go ahead and address things. So it becomes a little bit more natural and it's a little bit more iterative as opposed to waiting for this thing that takes place at the end. And then there's other sorts of testing that can be done too. We always talk about automated testing, but there's SAST, DAST, there's IAST, there’s white boxes, black box testing, and all this other scanning that needs to take place. Those things should be taking place as we're writing the code, just go ahead and scan every so often. And that way it's being fixed and addressed as we go, as the developers go, as opposed to waiting towards the end.
The great thing with that is that you start to then see ways. We work with customers where the security teams start to see this trend, that more and more things actually get fixed than they were before. And the number of vulnerabilities goes down and therefore there's an inverse correlation that as vulnerabilities and things go down, security and stability goes up. And what's interesting with that is that it starts to get done faster than it was done before, which I think is an incredible thing because technically all the same work's getting done. It's just like slightly tweaking things now, all of a sudden things are getting addressed.
And it's not just getting security to buy into DevOps, it's also getting developers to say security needs to also be at the forefront of your mind. And that comes down from a business standpoint. From NIST, the national institute and standard of technology, they did a study and they found that as you go through every environment, the cost of a security issue to fix or a bug to fix increases. And what they found is that by the time it gets out into production, it's roughly 10x the cost as if it had been found in development and addressed. That's massive because it has such a major impact when it's all the way out into production.
And I mentioned, getting security to buy in on DevOps, now the thing that's important with that, because you asked the question earlier about what about the companies that continue to do things as they have been? Well, this is where there needs to be a change. Security needs to start to understand DevOps and understand that this is now an opportunity to really change how security is done. There might be gaps in how things are being done. Well, now this can be done as part of the development lifecycle. The infrastructure, the code, everything can now be a part of that. So this is now an opportunity to actually, just from a pure security standpoint, improve what security is doing and when we educate and they understand that piece. And then we help with developers and everybody starts to get educated, now you've got all of these teams working together collaboratively. The same amount of work gets done, in terms of things getting fixed, and there's also less technical debt, the number of vulnerabilities and things goes down and the quality goes up.
Liesse Jones: First of all, I love all of the stats that you brought with you. They're so good. And I think they really help paint a picture for people who might not understand how important these concepts are. So I really appreciate that.
And then the second thing is, I think a lot of times when we're talking about shifting left, the common misconception is that that means everything falls on the developer. They have to think about operations, monitoring their code, they have to think about security. And it becomes a ton of pressure on one single person or group of people. But the way that you just described it, having security buy-in and understand the impact of DevSecOps is super important. And I think that that's something that people need to start calling out more, like it's developers thinking about operations and security, but it's also security thinking with the developer mindset.
Josh Minthorne: Yeah. And when we moved to that, what we like to say is that you move from kind of this sequential DevOps sort of way, which is there’s dev and then there's operations, and then the individual dev teams, they've kind of all optimized within their own little silo. And even though DevOps is meant to break down silos, what we still see is [companies say] “we do DevOps.” We say, okay yes you do, but they still have silos. In fact, we've seen customers that have DevOps and then there's the DevOps team and the DevOps team works in a silo. And so it's basically the same thing, different name in terms of some of the things that are being done. When we've got dev and sec and ops all working together, we've now really moved what we'd like to say is a concurrent DevOps model. And that's where, again, like you mentioned security working with operations, and security working with dev, and dev working with operations, and dev working with security, everybody. And what it's really about is not, oh, well here's what operations does, here's what security does, here's what dev does. It's like, what do all of us do? If there is a security issue, then everybody's accountable. Security, hey how do we address this? What should we do? Operations, how do we make sure we run and do we need to fix anything? Development, hey do we need to address this? How did we not catch it? And then, and you just kind of iterate over that and that, again, it becomes that much more collaborative sort of space.
And as you mentioned, I'm glad you bring this up, that pressure on the developers. Developers are empowered more to do more, but with that empowerment means more pressure and you can't just rely on just developers. That is a recipe for not necessarily disaster, but not success. Having everybody work together is really the key piece here.
Tips if you’re new to DevSecOps
Liesse Jones: Last question, I would love to hear tips that you have for folks who are early in their adoption of DevSecOps.
Josh Minthorne: First and foremost is get a lay of the land. Be honest, take an inventory of where you're at, understand your blind spots, understand your gaps. And it's okay to have those. Because if you don't do that you're gonna overlook something, you're gonna miss something and the whole premise is to get better. So you've got to do that. And then you've got to have a culture of it's okay to, people like to say “fail forward,” I like to think of it as you didn't fail, you learned. And so when something comes up, okay, how did this come up? Let's get this fixed, but then let's take the time to figure out what went on. I train in Brazilian jiu jitsu and that's one of the things we do and I'm a big F1 fan and if you watch after the races the team, the driver, everybody's sitting around and they're going over every little tiny detail of the race, because they're looking to say, “Hey, What did we learn? How can we improve?” And that might be for the next track, it could be for the next time they come back to that exact track or, it could be anything else. The goal is what did we learn? So that every time they are making incremental improvement.
And that's the other thing too, is when you're taking stock of everything, create a baseline because as you make changes it's very important to understand that as those changes are made, and we do this with our customers when we're consulting, to understand the impact. You need to measure the impact of every single change so that you say, hey, if we made this change and there's no impact, was it a valuable change and why not? Maybe you made the change and there was no valuable impact, but maybe it's because something was missed. And it's not actually that the first change was invaluable, it's that something was missed. You've got to make another change and now all of a sudden you start to get that impact. And so those are really, you know, one of the key things is take stock, measure, set a baseline, be honest and say, hey look, we're not good here. Let's get better here. We didn't think this would happen. Why not? How do we address it? How do we make sure that we keep improving?
Liesse Jones: I've never heard a comparison between Formula 1 and DevSecOps before, but it's so good. Not only because of what you just said, but also it's like a team sport in a way. You know, you have the driver, but every person who's involved is deeply, deeply specialized in their contribution to the success. And they all have to work together and lean on each other and learn from one another to make it successful. I think that's my new favorite analogy.
Josh Minthorne: Well, good. You watch races and you know it’s not just the driver, there's a car chief, there's engineers, there's two people for every tire on a pit stop. They all have to individually do their things, but they are also working together in harmony, because if any one piece has an issue it all starts to fall apart. And that's really how it has to be. It's not just a driver driving a car. There’s an entire, I don't want to say supporting cast because I think they all support each other, and that's the same thing with DevSecOps. And quite honestly, you know, when you think about going to the cloud it takes a lot of different groups, when you're operating in the cloud it takes a lot of groups. Everybody has gotta be working together and understand how they impact things and the goals and the barriers that they're going to get out of really doing these things the best way.
Liesse Jones: I had an idea for the title of this episode but maybe it needs to be retitled to why DevSecOps and Formula 1 are one in the same.
Josh Minthorne: I think it's great. I think that's perfect.
Liesse Jones: Awesome. Okay, Josh Minthorne from Axcelinno, thank you so much for being here. For people who are interested in working with you, how can they find you? What's a good first step to engage?
Josh Minthorne: Our website, Axcelinno.io. There's also email@example.com. You can also find us on LinkedIn and Twitter, so please definitely reach out. We'd love to understand more about what you're looking to do, the challenges you're facing, anything like that and see how we can help.