"Technology is easy: Everyone is doing it, culture is the challenge” says retired Navy Chief, now Defense Consultant, & Cyber Educator at Deloitte, Katy Craig. When it comes to implementing new technology, a trusting environment can make all the difference. In this episode, Carolyn and Mark learn why prioritizing people is always a step in the right direction.
Carolyn: Our guest today is Katy Craig, a retired Navy chief. She's now a defense consultant and cyber educator at Deloitte. We're going to talk about her work, helping teams accelerate to deliver value safely and securely to customers.
She provides guidance on tools, technologies, and methods such as cloud security, agile methods, SDX, Zero Trust, and DevOps practices. One of my favorite topics and Mark's as well, is shifting security left for DevSecOps and continuous everything. Today, we're going to dial into how she helps teams embrace a DevSecOps culture, some of the biggest pitfalls, as well as best practices.
I read something on your bio and I was like, "I love that!" You say in your bio, "Technology is easy. Everyone is doing it. Culture is the challenge and where I can help most." Talk to us about that.
Katy: I'm trying to think if I can legally hashtag it, the people, s**. I actually Googled it. Somebody did back in the '90s after President Clinton said, "It's the economy, s**." Somebody actually said, "It's the people, s**." But I want to bring it back into the lexicon and into the vernacular. Because a lot of these buzzwords that we're hearing in the zeitgeist, DevOps, I need to go buy some agile.
We're going to do some DevOps. They're selling Zero Trust, let's go buy that. It is rarely turnkey solutions out of the box. It's rarely the technology that all these vendors are selling on the internet and promising it’s going to be the panacea.
Katy: No matter how great your tool, your weapon, or your process, if the people don't embrace it, they aren't brought along, and aren't included in deciding that's the tool we're going to use, that's the process we're going to embrace, they're going to fight you. They're not going to adopt it.
Maybe even in a bureaucracy, they might eventually go along to get along, but it will be delayed. It will be less of a quality approach. It's always going to come down to the people. We always have to remember that our reason for being here, for being in tech, for doing all this work has to come back to the people. I always go back to Gene Roddenberry and Star Trek. I'm a Trekker, sort of directive. You can do no harm.
What are the Boston Dynamics people doing? I worry about the robots. It's got to come back to the people. If we're doing this tech and pursuing all these areas, it's got to come back to: is it going to be good for the people? Is it going to make our lives better, make the planet better, or our country better? That's why I say, "You know what, everybody's out there peddling technology. Promising that if you install my platform, I'm going to solve all your cyber problems." It's just not true.
Mark: Are you talking about the mission? Or are you talking about getting the people on board with the technology to be able to leverage and use it? Is it the people as it relates to the mission, or is it the people as it relates to getting them on board with the technology, and how it can help them?
Katy: It does go to the unique problem of military teams, for example. We have administrative control and operational control. Then we have organizations in the military that acquire their technology. They decide whether to make or buy the technology to serve the warfighters who are operating the technology. Those separations are real. They're part of the challenge because of how they're organized, regulated, supervised, overseen. They spawn bureaucracy.
So the people, in their way, the policymakers need to understand that they themselves have a lot to unlearn. That takes a lot. It takes so much vulnerability in ourselves to say, "I need to relearn how to do acquisition." Using taxpayer appropriations to buy this capability is different in 2021 than it was in 1970, A1 Abrams containerized application.
We can't levy the same amount of oversight. The speed, there's so much delay in that type of bureaucratic oversight. For software, we can't move that slowly. So for the people to embrace that there is a new way of us living and fighting and being in the world during great power competition. You'll hear the military leadership talk about how we've got great powers rising and near-peer adversaries. There's a lot of saber-rattling.
They need to understand those people, policy makers, legislators, government leaders, that the way that they look at acquisition and technology needs to change. The users, the war fighters, are actually ahead. They are aware of what could be, the art of the possible. They’re playing 4K UHD video games online with multi million players. They know what technology can support and do. They're used to using game controllers, joysticks, and getting information very quickly.
Katy: Getting the warfighters, that group of people, to embrace the technology is easier in a way. What we need to do to help those people understand that bureaucrats are victims too. It's not like one person can come up in a bureaucracy and change it all.
Carolyn: You said prime directive. Do no harm.
Katy: Star Trek.
Carolyn: We can lose sight of what this is really all about, the reason we do all this. Yes, there's the mission. But the whole point of the mission is to make our lives, our families' lives, the Earth, to make it better for us. To be happy, to be healthy, the prime directive. As you were talking, I'm like, "Oh, I can get so focused on: Well, is this about the mission? Or is this about technology?" But what it's all about is us.
Katy: And helping us, the warfighter, the program manager, the citizens, and the family. We send volunteers off to join the military. It's not a job. They raise their right hand, swear under oath, give up certain rights and privileges, and do very dangerous work for us. The whole idea and goal really, if you adopt the people first concept, is let's not shed any blood at all. Let's avoid war.
Carolyn: Peacekeepers.
Katy: Let's keep the sea lanes open. I know the Navy, and so the Navy mission is one that's most clear in my mind. Let's support democracy worldwide and try not to allow human rights violations. Let us do good for the environment, just all those noble things that are supposed to bring all of us up as people.
Katy: I always come back to the person, the humanity of the situation. Acknowledging that they have their hopes, dreams, aspirations, no matter who they are. Working side by side, or serving alongside, or delivering to a customer, all people, we all should consider the person first.
Carolyn: That is the point of the mission. That gets me to these things that you educate on.
Mark: That was an incredibly rich answer. We could peel that bad boy back for the entire discussion today. You were hitting on so many different things. If I can dig in to just more of a specific thing. Explain to us the importance of DevSecOps to someone in the military.
Carolyn: What you do with educating at Deloitte. With the DevSecOps, why is that important and how do you explain it?
Katy: It depends, and that's the standard cybersecurity answer. It depends on the audience and who's asking the question. Why is DevSecOps important to me? It's the government authority, the government program manager, the mission to accomplish your mission, and delivering capability within cost scheduled performance. Let's do it fast, but let's do it safely.
We bring it down a little bit lower to the program managers on the contractor side. Why do I have to do DevSecOps and why is this important to me? These cyber people that you've got on the team, they're very expensive. We don't have enough of them and they don't scale. So we're going to try and use the technology to automate some of the routine tests and scans. So that your limited fill-in-the-blank engineer can do more on this product.
Katy: For the developer themselves, who doesn't know anything about security and probably has never been incentivized to care about delivering security features, it's important to communicate to her if you build in this control. If you build in this check for multi-factor authentication, then down the line, to the left and the right, in the linear pipeline of delivering software, then we don't have to test for it further down the right. So depending on who's asking in the organization, why should I care about DevOps, or DevSecOps, that determines how you address the response.
Mark: Is this any different for the military or outside the military?
Katy: Yes. The example I just gave you was the last team that I was on for a military organization.
Carolyn: Is it hard to get them to buy into the idea of DevSecOps? Does it add a lot to their workload?
Katy: What I find in bureaucracies is the bureaucrats are incentivized to go along. The bureaucracy is there. Everything about the incentives support the bureaucracy and the bureaucratic processes. When you try to tell a government client, maybe a two or three-star admiral, we shouldn't plan to do that gigantic operational test two years from now.
We really should be building in the six week sprint little tests. And we really should not worry about all the outputs and all the requirements that you need to know so that you can brief them up to your higher level authority. We need to remember that going outside of that process usually results in negative consequences.
Carolyn: Is that the culture now? I've been in this world of people that I'm surrounded by all the time, really embracing DevSecOps. So with what you just described to me, I hope I don't offend too many people, but it sounds very archaic. Is that really still the culture?
Katy: It is, absolutely. You have to remember that Kessel Run, Platform One, these are all huge paradigm-shifting successes. They get a lot of media coverage. It's easy for us to conflate those successes with, okay, it's enterprise-wide, everyone's practicing it. No. We are absolutely not. Depending on who happens to be in charge determines risk aversion, risk tolerance.
If I'm a two or three-star admiral and I don't like being the first person out there, let me try this, then I'm risk-averse. I'll be like, "No, I don't want to take that approach. We'll follow the documented process." That official over there is going to audit our stuff. We've got to back up our schedule 90 days for that because everybody in the bureaucracy has to overlay their checks.
Self-licking ice cream cones, justify my work and my job because this is how I'm incentivized. This is how the organization has hired us. These are the standard operating procedures. My performance reviews and merits and promotions depend on how well I do this process. Everything about it fights the change. That's why you see this.
Mark: That change happens about every two to three years.
Katy: No.
Mark: Well, that leadership swaps out.
Carolyn: The leadership changed. I think you're saying those are the bureaucrats.
Katy: Yes. I don't mean bureaucrats as an epithet. I’m using them as people who are subject to bureaucracy. Even in large corporations, there can be bureaucracies, and “red tape”. This is how we do it. It's not that anything intentionally started off maliciously, or ineffective, or inefficient.
But what we know in real life and on the ground is, if the people don't embrace the change, if the people don't think it's a good idea, if the people don't support that shift or pivot, it's not going to happen. Or it's going to take a long time. They may even outwait you.
Carolyn: Is that where you have to start? Really at the top, at the bureaucratic level, and get the leadership to buy in and have that initiative come down? Have you done it both ways, top-down, bottom-up? Which works better?
Katy: Again, cyber answer, it depends. It depends on the organization, and the openness of the organization. To bring it back to the people, it depends on the people that you're working with. The change has to start simultaneously top-down and bottom-up. We do have these, we see these pockets of innovation and small groups of military organizations like the Navy in San Diego.
I'm familiar that there are some engineering organizations that are experimenting with building strong, safe, psychologically trusting teams. They're workshopping, taking new approaches to communicating and collaborating. Making the best use of what we've learned over the forced remote work during the pandemic.
Katy: They're realizing now, I don't need my team for nine hours, butts in seats outside my door. We can do this remotely and we can get better minds on the problem. Actually, we can use this to our advantage to increase our diversity and bring more people to help us solve this problem. If only we can get out of our way. Let's unlearn all these old ways and try to embrace what Silicon Valley has proven.
They proved that you can do it better and faster and safer, as long as we remember we're not Silicon Valley. This is the US Military or the federal government, and citizens and taxpayer dollars. We can take what they're doing, the best of it, but we can pragmatically apply it. Keeping in mind the people that we're talking about and what those people need to do their jobs, to protect us.
Carolyn: When you go in to set up, to help implement and educate on embracing DevSecOps, what are some of the best practices? Or let's look at something really pragmatic here. Where do you begin? What do you see as best practices for these teams that actually started out super rough, but then, they really embraced this philosophy and they do it well?
Katy: My experience has proved that if you get to know the people on your team as individuals, try to remove all the transactional stuff, it's not I need you because you're an awesome coder. I really want to get to know you because you're my teammate. We're working together to solve this, or accomplish this mission. I don't know if it's a blessing or a curse, but what I do know is military leadership.
Katy: I was an Army brat and then I joined the Navy when I was 18. I’ve been a chief in the world's finest navy, and part of a mess, a chief's mess, that teaches and encourages and lives, “get to know your people.” Your job is to know your sailors. I do this on the teams too.
Know your teammates and know what's important to them. Where did they come from, and where do they want to go? And remember it. It's important because you're trying to make authentic, genuine, personal connections. So that you two together can do better work to deliver on the mission. Remember who they are and what they want because you probably know somebody who can help them.
That six degrees of separation comes into play, and that's what chiefs do. The mess is worldwide. It's like I know a chief on that ship, or I know the master chief over there. My guy is transferring. Let me connect them. Do that with your teams. Encourage them to get to know each other. As a leader, facilitate that with ice breakers and fun.
Carolyn: Do you do that? As a consultant, do you do things to facilitate this?
Katy: I encourage things like books, happy hours, and getting to know each other. I recommend 15-minute coffee talks, and for the teams to get together. In tough times, when we're facing what seems insurmountable challenges, that's when you really get an opportunity to get your team to bond. There's this term in the military, we call it trauma bonding. I know that maybe other industries refer to it for things like Stockholm syndrome and kidnappers.
Mark: Healthcare professionals.
Katy: Yes. But really difficult challenges can be traumatic. In the military, you're faced with those quite frequently. Getting through those types of challenges can form a bond that will last your entire life on both sides. I'm not saying anything as heavy or as serious as that is going to happen with every connection that you make, but it could.
Even in the tough times, if you work together, the better you know your team and you know you can rely on them, and they have your back and you have theirs, the more successes you get through. You can build those types of lasting relationships, even in the industry.
Mark: When it comes to implementing DevSecOps in the military, or the Navy in this case, what pitfalls have you found or have you come across?
Katy: It's the separation of authorities. When you think about how the military's organized and the authority is, and where they get their money, and all the congressional oversight on how the money is spent, we can't negate the importance of it. Your tax dollars, my tax dollars, are very important that they spend it wisely in the way that...