For a concept that is still being defined to some degree, DevOps is frequently at the epicenter of enterprise transformation discussions, even if it is not always clear how it will be implemented. Jayne Groll, co-founder and CEO of the DevOps Institute, which promotes continuous learning among DevOps professionals, says proactive organizations making the most of DevOps assess their internal culture as much as their technology.

On Monday, the DevOps Institute released the 2019 Upskilling: Enterprise DevOps Skills Report on skills organizations want in new hires. Groll will be a speaker this May at Interop19 and took some time out to discuss the skills report and the path ahead for DevOps.

How do the most advanced, proactive companies currently approach DevOps?

"Some really heavy legacy organizations that have a lot of complexity in terms of their longevity have been building systems for many years while trying to stay up on market trends. The high performers or elite organizations are not necessarily the ones that have the coolest tools. Certainly, automation is key and though automation skills are desirable, it’s the people aspect that organizations really focus on. In almost every vertical market, I’ve seen standout organizations that say they want to shake things up in terms of how they organize themselves internally, moving from silos to squads, and a lot of pervasive continuous testing.

"The highest performing organizations have strong transformational leadership. Leaders who have vision, who are inspirational and bold. I think they recognized the importance of changing the way people behaved as much as changing how many tools they had. They also look at their business and say, ‘We’re no longer a cost center or just part of the machine. We are the business. We have to understand the business and be a critical enabler.’

"In the past you built your organization by adding specialists. Now there is a gravitation towards T-shaping, where a specialist supplements their skills with a much broader base of general knowledge. High-performing organizations understand they are going to live and die on the success of their people."

What percentage of applications and updates go through a DevOps process at “elite” organizations?

"I think a lot take the 80/20 road. DevOps Institute has a DevOps leader certification course, which says not every one of your applications should go through this full stack pipeline because you’re not necessarily investing in the right place. The general recommendation is to look at the top 20. Experimentation is a big philosophy in DevOps, so don’t experiment on your most business-critical [applications]. Start with small experiments and work your way forward. Take some services and break those down into independent microservices you could release separately."

How are things different at enterprises that might not be considered advanced or elite?

"There a was a belief that you had to be in the cloud in order to take on a DevOps approach. Most organizations that don’t yet fit into the high-performing or elite category are now exploring how to do this. First of all, you don’t have to be in the cloud. It’s easier in the cloud because there are tools and techniques that are much easier to implement in the cloud environment, particularly when you are looking to break down your services into microservices. Even Amazon at the AWS re:Invent conference put the blessing on hybrid environments. You can be a hybrid where you have some cloud and some on-prem. That kind of removed a barrier for some organizations.

"It’s an interesting divide. There are some who unfortunately think that if they bring on a bunch of open source tools that they are DevOps. That will get them a certain percentage forward but not a great percentage forward. They are not looking at the other functional or soft skills; they’re not looking at culture. DevOps is pretty big and there’s a lot of disparate information about what we do. I think those organizations are starting internal dialogues about what it means to them. The first step is having that conversation."

Where do enterprises find DevOps talent? Through hiring or reskilling/training existing IT staff?

"There is a huge talent gap. The question is what talent. There is the role of the DevOps engineer, which is an accepted title without any standards behind it. It is the top role organizations are looking for, or a DevOps manager to help them with the transformation. They are having a hard time hiring because they don’t know what talent to hire. Do they need DevOps coaches? Agile coaches? Do they need testing engineers? They are having a hard time finding talent. When you look at the skills that are must-have, the range of skills is crazy. A lot say they are grooming from within because they can’t find talent from the outside."

What are the key DevOps challenges that enterprises may face in the coming three years?

"There are many talented people in this space, influencers and thought leaders, but there’s a risk with branding everything as DevOps-compliant because it becomes hard to separate who can actually walk-the-walk. If organizations think that automation is their magic bullet to fast-track them to DevOps, they will make progress but a year or two into it, they will run into the same obstacles they face today because their planning horizon didn’t look at the whole picture."

The integration of security people with DevOps through DevSecOps might be a route to cleaner, safer code but is there a realistic fear that this will slow down the process?

"If we don’t start to look at security as a key practice that we need to integrate into everything that we do, there is going to be some major incident that hits the news and everybody is going to back off and say ‘I told you so. This is a little too risky for us.’

"DevSecOps basically says security is everybody’s responsibility with security as code. We need to start testing security much earlier in the cycle rather than making it a downstream activity. I think the security community is starting to embrace that from a tools perspective and for their personal future. I think two years from now we are going to see security as code being the norm."

During Interop19 in Las Vegas, May 20-23, Jayne Groll will be presenting: