Software Engineering Institute

It's a cliche that the biggest blocker to DevSecOps adoption is 'culture,' which is shorthand for an impenetrable mass of people-y challenges. But in this talk, I'll tackle a very concrete case: unicorn culture.

In moving away from skill-centric and inert silos and towards cloud-native architectures, we often seem to end up dependent on a small cluster of highly skilled super-engineers. These rare, senior, and hugely adaptable individuals can each deliver the same expertise and quality as a 100-strong IT organization.

But of course, there are not many of them. So we fight over them, overload them, and push them to take on broader and broader responsibilities. Sometimes, they are infrastructure architects who are also best-in-class software engineers; sometimes, they are AppSec specialists who also know 16 different cloud platforms and eat firewalls for breakfast.

I like to call these people 'unicorns' because they're semi-mythological, implicitly priceless, and attempts to create more of them usually fail. Above all, relying on unicorns to build a DevSecOps capability is a bad idea.

In this talk, I'll explore the common problems caused by reliance on different breeds of unicorns in DevSecOps and present some ways we can escape this common cultural trap.

Alex Cross is the Group Head of DevOps at Endava. Over the last decade, he has helped some of the biggest names in multiple industries adopt a DevOps approach to IT, and today, he directs Endava's own DevOps-oriented delivery capability. Under the hood, he's a keen cloud architect and tinkerer, and there's a Philosophy PhD in there somewhere, too.