For example I’ve worked in DevSecOps for 10+ years, whenever consulting my first step is to implement a CI that picks up Pull Requests, builds them and runs a code analysis tools (e.g. pep8, spotbugs, eslint, etc…) and have the CI comment the Pull Request. The idea is to get an understanding of the projects technical debt and stop things getting worse and ensure the solution ‘just works’.
Teams with huge amounts of technical debt will find a way to disable it when your not looking. They will develop all kinds of reasons and in reality the technical debt was created because of cultural issues in the team.
So I’ve learnt its important if you spot a team doing that, the solution isn’t locking it down the solution so they can’t disable it or more process. But forcing out the technical leader and sitting with the team and working out why each one is fighting the tool and not seeing them as an asset and teaching them to be better.
Earlier in my career the biggest lesson I learned was infosec was first and foremost a culture problem. Similar to your experience, working with people individually, meeting them where they are, listening, understanding, guiding, and modeling a better mindset all helps given enough time.
There are cases where some of those people just aren’t willing to work with you. It’s still possible to change the culture around them by influencing it more than they do. For every belligerent person, you can find one or more advocates
You can’t fix a people problem with process.
For example I’ve worked in DevSecOps for 10+ years, whenever consulting my first step is to implement a CI that picks up Pull Requests, builds them and runs a code analysis tools (e.g. pep8, spotbugs, eslint, etc…) and have the CI comment the Pull Request. The idea is to get an understanding of the projects technical debt and stop things getting worse and ensure the solution ‘just works’.
Teams with huge amounts of technical debt will find a way to disable it when your not looking. They will develop all kinds of reasons and in reality the technical debt was created because of cultural issues in the team.
So I’ve learnt its important if you spot a team doing that, the solution isn’t locking it down the solution so they can’t disable it or more process. But forcing out the technical leader and sitting with the team and working out why each one is fighting the tool and not seeing them as an asset and teaching them to be better.
Earlier in my career the biggest lesson I learned was infosec was first and foremost a culture problem. Similar to your experience, working with people individually, meeting them where they are, listening, understanding, guiding, and modeling a better mindset all helps given enough time.
There are cases where some of those people just aren’t willing to work with you. It’s still possible to change the culture around them by influencing it more than they do. For every belligerent person, you can find one or more advocates
Yes, same experience here. People will go the path of least resistance except if you actively collaborate with them to make it work.