The DevSecOps Equilibrium

Can you feel the tension in your organization between security, operations, and development? Does each side try to outmaneuver the other? Do they not talk for fear of conflict or being halted in their tracks? You know something needs to be done, but what do you do? The answer is simple — everyone needs to be more like pitcher plants. Stay with me here.

Chris Corriere is a fascinating guy to talk to, whether it's over a bowl of ramen or between sessions at a DevOps Days conference. He is one of those guys who searches for the deeper meaning of work, relationships, and behaviors. In every conversation, you'll learn something.

It's why we're revisiting his talk from the 2017 All Day DevOps — there still a lot to learn from him. In that discussion, Chris Corriere (@cacorriere) talks about the Nash equilibrium in relation to security and DevOps environments, shows how nature adapts to similar situations, and presents how we can pull security into a trust relationship, forming DevSecOps.

Every game has a dilemma. Chris explains, "The Sec in DevSecOps means the security folks are explicitly invited to the table. The dilemma is the fact that the invitation isn't implied."

In game theory, this fits into the Nash equilibrium — what is commonly illustrated as the Prisoner's Dilemma. You know the setup: two prisoners (A and B) are offered deals to testify against the other, but the deal goes away if prisoner A implicates B and vice-versa. Although if neither A nor B takes the deal, their sentences will be shorter than if they are both implicated. But, A and B can't talk to each other before deciding.

Chris contends the better illustration is the Stag Hunt. The hunters can work together and potentially get a stag to share for food, but, say one sees a rabbit on the hunt first. They could kill the rabbit and have some guaranteed food, but it would be a much smaller amount and could leave their partner high and dry. Cooperate or compete? Oh, the dilemma!

Chris then presents what he coined the Trinary Nash Equilibria — that each relationship in nature can devolve into: commensalism, where one organism benefits but the other one neither benefits or is harmed; amensalism, where one organism is inhibited or destroyed while the other is unaffected; or, parasitism, where one benefits at the expense of the other. None of these are beneficial for both organisms.

What we want to strive for in our organization is symbiotism, a cooperative relationship with high trust, that is beneficial to both parties.

This is seen throughout nature. One example Chris gave comes from low-light, crowded swamps where plants compete for sunlight and nutrients. A species of pitcher plants is shaped so that bats can easily find them with their echolocation cries. The bats roost on the plants, relatively parasite free, and the plant eats their poop. While admittedly gross for you and me, it is a win-win for the bat and the plant.

The DevSecOps lesson for the day: become the pitcher plant — adapt and offer value to unlikely partners.

Of course, human relationships are more complex than pitcher plants and bats. Chris talks for a bit about the Cynefin sense-making Framework by Dave Snowden.

As Chris talked about jungles, ecosystems, and nature, he walked through the value of diversity in nature, making the point that diversity reduces risk, whether in nature or in organizations. Monocultures don't survive. In DevSecOps, diversity is more than just combining development, security, and operations. It is about different skill sets, backgrounds, thoughts, beliefs. They combine to make our organizations stronger.

In the end, Chris left us with three takeaways:

• Augment humans with tech instead of replacing them.
• Spend time together. Communicate. Build trust. [Hint: this is the most important one]
• Work in diverse teams with mutual goals.

If you happen to be at the same DevOps conference as Chris, seek him out. He has some more interesting illustrations from nature and math to help us better understand and improve our organizations, such as Wardley value chain mapping, replacing Maslow's hierarchy of needs, and Inclusive Collaboration.