The Real Story of Agile and DevSecOps in Government
Are Agile and DevSecOps—ways to iteratively build and deploy software faster and better—overhyped?
I don’t think so. Agile and DevSecOps have changed the way startups and large organizations get features into production faster, better meeting the needs of customers. When done well, it means better product velocity, and reducing waste.
In government, we desperately need software and digital services that meet the needs of our public servants and the Americans they serve. This isn’t rocket science. The engineering practices in big tech, finance, and rapidly growing scaleups have shown that agile and DevSecOps work.
At Insight Partners, we think this ongoing shift in how software is built and deployed is an important investment theme. We’ve invested in Checkmarx, Sonarsource, Armory, JFrog, Sysdig, Aqua Security, Tigera, Kasten, Docker, Ambassador Labs, Tricentis, and many more important companies that are changing how developers, security staff, and operations professionals do their job.
In the federal, state, and local governments, Agile and DevSecOps are hot topics, and we’ve seen a lot of important activity and investment. In the DoD, we’ve seen the launch of numerous so-called software factories—from Kessel Run to BESPIN to SpaceCamp—and the rise of platforms like Platform One and Black Pearl. The Defense Innovation Board published an important Software Study about the importance of agile—and also warned about Agile BS, where defense organizations use agile terminology but continue to build waterfall. Federal civilian agencies have similarly been moving to incorporate agile and DevSecOps in their programs—in agencies from VA to DHS to Social Security.
But too often, these conversations about agile and DevSecOps focus on brand new apps, rather than modernizing or evolving existing systems. Most of the apps and systems in the federal government—really in any large enterprise—are called “legacy apps,” having been originally built some time ago, using traditional waterfall development. Many of them have been around for decades—and some of them are on mainframes.
So the real question at the heart of software in government—and in many large commercial firms—is how to apply agile to legacy apps? What are the impediments to doing so? Which systems should we prioritize, and why?
I explored these questions—and more—during an hour-long conversation, hosted by think tank ICIT, with two technology executives from the federal government:
- Kendra Charbonneau – Lead Engineer and Enterprise Agile Transformation Coach, US Air Force Business Enterprise Systems.
- Rajive Mathur – Former Chief Information Officer, Social Security Administration. Rajive recently joined The Boston Consulting Group, where he is focused on digital transformation, digital identity, and cyber.
Kendra Charbonneau discussed her readiness analysis of the portfolio of applications in Business Enterprise Systems — a U.S. Air Force unit of 2,300 airmen, civilians, and contractors who build systems for other parts of the Air Force. She found that, except for the newly created BESPIN, all of the other BES groups were in an early stage of moving to agile. Many had technical debt or lacked the training and tooling necessary.
After listening to Kendra, I’m convinced her approach should scale across DoD. In my opinion, every application portfolio owner across the DoD should be interested in her Agile and DevSecOps readiness framework. Without product owner involvement, training, tooling, and a commitment to regularly address technical debt, how can we expect government units to make real progress?
Rajive Mathur, who recently left Social Security Administration as CIO, talked about the importance of IT partnering with the lines of business. Rajive also spoke about the need to get executive-level buy-in across the Social Security Administration to support developers getting what they need to build software faster and more efficiently.
There were a lot of great questions in the chat during the panel conversation that we weren’t able to get to, so we compiled them and wrote answers here.
If you want to avoid the hype and understand the real-world challenges of applying agile to the vast majority of government systems, check out our conversation and the follow-up discussion.