Sitting down in the new Comcast Technology Centre at its headquarters in Philadelphia, Pennsylvania, Larry Maccherone, Distinguished Engineer of Comcast Cable, shared how the company is uniquely positioned for success in their agile approach to achieving a DevSecOps cultural transformation.
Maccherone’s professional background heavily revolves around data analytics and Lean-Agile, and he started his first business while still an undergraduate at university. “I’ve been a serial entrepreneur throughout my entire career. My first business had 80 employees and made US$20mn annually in sales,” explains Maccherone. “We were writing software that controlled a large portion of the world’s power generation, and it meant that if hackers exploited a vulnerability in the software, then it potentially brought down the world’s power grid. We got really skilled at writing software that didn’t have exploitable vulnerabilities.”
Upon joining Comcast in June 2016, Maccherone became responsible for overseeing the company’s DevSecOps transformation. “I have a love/hate relationship with the term DevSecOps. I believe that if you’re doing DevOps right, then the security part is automatically included,” he explains. “You don't call it DevTestOps or DevPlanningOps, it’s just DevOps. However, what I do like about DevSecOps is the emphasis on security. My definition of DevOps and DevSecOps is essentially the same. I define both as empowered engineering teams taking ownership of how their products perform in production, including security. When you get development teams owning the problem, you get a fundamental difference in decision making.”
Maccherone believes being able to change mindsets and adopt security practices into daily activities is a primary goal of any DevSecOps initiative. However, he states that it’s impossible without healthy collaboration and mutual trust. In order to achieve that level of trust, Maccherone introduced a trust algorithm. “The trust formula has three terms combined in the numerator: credibility + reliability + empathy which are all divided by apparent self-interest,” he explains. “It’s important that the apparent self-interest is as small as possible, with an emphasis on shared interests.” Maccherone believes that understanding and embracing each pillar of the trust algorithm is vital to success in DevSecOps. “Credibility means that you know what you’re talking about and it’s important that you’re not just saying things for the sake of it or repeating something you’ve read,” explains Maccherone.
Change management is a key driver to Maccherone and Comcast’s strategy. “The traditional way of gathering a response was to produce surveys. However, we found that the behaviour didn't change,” he says. “We decided on a framework that we can coach from and enable the developers to reflect on whether or not they meet the criteria. If we send an email to them then we get almost no response. However, if we sit with them and allow them to ask questions directly then they instantly start changing their behaviour.”
Perhaps more than any other factor, Maccherone recognises the value of forming strategic business relationships in order to realise long-term success. “We’re at the forefront of DevSecOps, and lots of our vendors see that,” says Maccherone. “We’re constantly searching for vendors that are trying to design their products to fit in with the direction we’re going.” Maccherone believes that without developing such robust and long-standing partnerships, the challenge of reaching the level of success Comcast has achieved would have been significantly harder. “Our vendors are a key to our success and we’re extremely excited and happy with the current set we have,” beams Maccherone. “They align well with our values and that’s been the differentiator to finding ways to reduce our security risk.”