To embrace DevSecOps within an organization, there needs to fundamental changes to processes and culture. There also has to be personnel with the knowledge, skills, and abilities necessary to operate in a DevSecOps environment. According to Lauren Knausenberger, Chief Transformation Officer for the USAF, this is why the Department of Defense (DoD) and the U.S. Air Force (USAF) are championing innovative initiatives to help discover and train the best “data ninjas” available.
And Knausenberger should know, being responsible for driving change across the formerly siloed branch of service in partnership with private enterprise and other government organizations, including the National Security Agency (NSA) and the Defense Information Systems Agency (DISA).
At the recent Sonatype-sponsored DevSecOps Federal Leadership Forum, Knausenberger and other government cybersecurity decision-makers came together to discuss the challenges in today’s government DevSecOps environments, including the need for a pipeline of talented personnel.
Continuous ATO requires true data ninjas
Continuous Authorization to Operate (ATO) is a coveted status for application development organizations that work within and for the public sector. “Continuous ATO is built for those who have done the work to become true data ninjas, to reward those who have done the work,” Knausenberger explained.
She describes continuous ATO as a guarantee that ensures that the environment uses all of the necessary automated checks, that the production pipeline constantly looks at the code as it’s working, and that there is a culture of assessment, ripe with audits and accountability. Continuous ATO certification requires that an organization has a mature DevSecOps framework established.
For agencies and organizations to provide this level of security even with rapid development timelines, it must feed the pipeline. Knausenberger, who drives the Spark Tank event that, “encourages Airmen to disrupt the status quo,” believes that personnel development is key.
The Spark Tank event is a competition-styled development showcase that draws entrepreneurship ideas from within the USAF. It’s just one of many innovative programs and initiatives, such as Digital U and Kessel Run, that Knausenberger has helped implement to recruit, train and develop a pipeline of talented cyber warriors and application developers.
Digital U provides trainings like bootcamps and hack-a-thons aimed to grow the USAF’s cybersecurity capabilities.
Kessel Run, which draws its name from the Star Wars film empire, innovates to promote rapid software development. Kessel Run is the smuggling route that Han Solo bragged about taking in 12 parsecs. Breaking cultural methodologies inherent within the USAF is a driving concept for Kessel Run and other such initiatives. “We need to democratize the best in-class training, gamify it, make it sticky. We need to use data to drive incentives and career paths, find mentors, and use skills in the place most needed,” shares Knausenberger.
Ultimately, these programs and initiatives illustrate Knausenberger’s determination to build a talented, skilled workforce of DevSecOps professionals. It also illustrates that she feels development, skills training, and innovative educational programs can help develop that workforce from within the military’s ranks.
Drawing on the 90’s Steven Seagal film, Under Siege, Knausenberger states, “The best fighter was the cook. We don’t want to wait until a crisis to find out that our best data ninja is out painting fences somewhere.” If Continuous ATO needs this skill level, it is a great advantage to the USAF and other agencies to seek and nurture talent from within.
Baked-in security is the goal for a highly productive DevSecOps environment. It will take a workforce of highly skilled cybersecurity personnel to ensure foundational and ubiquitous security protocols. Our adversaries are well-funded and highly skilled. But, according to Knausenberger, if we can “raise the water line and the skill that the hackers need to harm you, and if they have to spend more to attack you, you are less of a target.”