DevSecOps as a Service explained

DevSecOps as a Service explained

What is DevSecOps as a Service? Our philosophy is that “DevSecOps” is a functional role, not individual people. So rather than hiring an individual DevSecOps expert on a professional service basis as a consultant, you get a dedicated multi-person team to fulfill as many full-time equivalent (FTE) positions as needed.

Thus, your team is strengthened, operational risk is reduced, and more knowledge is brought in. All at a stable price, and with staff redundancy built in.
In this article, we want to share our philosophy, and how we at Elastisys practice that philosophy with our customers.

Risk reduction

Life is full of unexpected surprises. 2020 taught us all to work from home, but also, that everyone is at risk of suddenly being unavailable due to situational circumstances. Organizations have found that key staff have suddenly become unavailable for extended periods of time. This happens when a role is staffed by just a single individual, because there is little or no staff redundancy.
But with a multi-person team fulfilling a single organizational role on a DevSecOps as a Service basis, that risk is reduced. Because all team members are fully up-to-speed with the current state of the project, the team is still able to deliver. Unavailability of one member does not cause a stand-still, or loss of operational support required to keep processes running.

Great documentation becomes an integral part of work

To offer DevSecOps as a Service in this manner, the entire team must document their work to a very high standard and degree. This has two benefits to the customer organization: (a) documentation serves as a playbook for what has been done, and (b) knowledge sharing is built in. The customer organization immediately benefits from the experience that the DevSecOps as a Service team brings, and can learn from it. The documentation is a key requirement for audits, and to onboard new personnel. And, with time, the customer organization is able to take that knowledge and build upon it, in-house. Both new consultants and new employees are able to get up to speed quickly by reading the complete and up-to-date documentation that DevSecOps as a Service requires to function.

The Elastisys team showed great technical and social skills and quickly understood the problem and the environment. They proactively engaged with other teams and developed a very high-quality solution. I perceived them as very professional and can recommend them unreservedly for any type of engineering project.

René Bruns

Engineering manager at Klarna

Knowledge sharing

We typically staff one full-time equivalent person with an 80/20 or 50/50 split. So one person will work 80 percent of the time for the project, and another 20. The rest of the time, they will work on other projects. Or on developing open source software. This gives them both time to learn new things. Concepts that may benefit the customer organization, because they are able to explore topics in other settings. They then take that experience back to their DevSecOps as a Service engagement.
Broader horizons means more exposure to new technologies and smart ways of working. Perhaps a different engagement has implemented continuous delivery in a great way? That would be lost in a professional services company where individuals are never exposed to other than what happens outside of their own engagement. But with our DevSecOps as a Service concept, knowledge sharing is intrinsically built in.

This is part of our broader knowledge sharing philosophy, where we build knowledge sharing into our DNA. Internally using recurring tech seminars and lessons learned and externally in the form of open source contributions, blog posts and hosting community meetups.

Access to a broader set of skills

Modern DevSecOps practices span the whole development lifecycle and a great DevSecOps team carries experience that covers the whole spectrum of software development, operations and security. Splitting our DevSecOps as a Service teams into part time FTEs allows us to staff projects with a wider set of expertise, for example bringing deep security and PCI DSS knowledge to the table for a fintech organization while deploying a best of breed Kubernetes platform using the long experience of a Certified Kubernetes Administrator.

Strengthening your team to the degree you need

The DevSecOps as a Service concept allows for fractional full-time equivalents (FTE) staffing your team. Most consultancy firms that hire individuals only offer them on an all-or-nothing basis. With our approach, where time division between team members is already built in and our natural way of working, we can strengthen your team more dynamically. Do you need 0.5 FTEs for a few months as a way to support your current team? Or perhaps 2.5 during a few weeks to perform a major software migration or upgrade? Or 1.1 FTEs, where 1 FTE would administer your day-to-day and 0.1 would be staffed by a senior cloud architect, to help define your roadmap?

Summary

DevSecOps as a Service means that customer organizations get fulfillment of the role of DevSecOps, rather than hiring single individual consultants on an all-or-nothing basis. The DevSecOps as a Service approach is to let a team of experts fulfill the role together, in a split fashion. This reduces risk by introducing redundancy, ensures that documentation is top-notch, supports knowledge sharing, and allows for fractional engagements. Thus, your team is strengthened, given the support you need, and fully meets your demands. Therefore, you can focus on your core business and dynamically adjust your DevSecOps as a Service engagement as your needs change.

Lars Larsson

Lars is a Senior Cloud Architect at Elastisys. He has worked with cloud computing since 2008 and holds a PhD in Computer Science for his research in cloud computing. Together with Cristian Klein, he acts as Branch Manager for the Lund office.