Carrots and sticks can go only so far in driving cultural change, according to Jennifer Czaplewski, senior director of cybersecurity at Target. So, when she and her team set out to improve the retail giant's DevSecOps culture, Czaplewski turned to organizational psychology -- the study of how people behave in the workplace.
In a presentation at RSA Conference 2023, Czaplewski explained how the concept of organizational commitment affects DevSecOps culture. Organizational commitment describes the level of engagement individuals feel toward their jobs or employers, stemming from a sense of obligation (normative commitment), necessity (continuance commitment) or desire (affective commitment).
"If we're talking about security and the only reason developers are doing the right thing is because they feel a sense of obligation or because they don't want to lose their jobs, it's not going to be their best work," Czaplewski said. "They're not going to blow us away."
Her aim then became to encourage affective commitment -- the most powerful type of organizational commitment -- which would drive developers to uphold Target's DevSecOps culture because they wanted to.
In pursuit of this goal, Czaplewski's team next considered the concept of psychological contracts -- in this case, developers' beliefs about how their relationships with security should work. Psychological contracts can be formal -- e.g., an enterprise security policy -- informal or subconscious.
Jennifer CzaplewskiSenior director of cybersecurity, Target
"We have more than 4,000 developers at Target, each of whom has a whole bunch of expectations about how the security team should behave -- some they aren't even aware of," Czaplewski said. "Start thinking about what people might expect of you, whether formally, informally or subconsciously."
When the security team meets or exceeds psychological contracts, she added, developers' affective commitment grows -- leading to a stronger and more effective DevSecOps culture.
Psychological contracts at work
In considering how to earn developers' trust and buy-in, Czaplewski and her team committed themselves to the following psychological contract terms. These product security values form the foundation of Target's DevSecOps culture.
- Meet developers where they work. The AppSec team aims to embed security directly into developers' existing tool sets and workflows to minimize inconvenience and maximize efficiency.
- Offer end-to-end support. "It's a lot easier to find security flaws than it is to fix them," Czaplewski said, adding that, to be better partners to developers, Target's security team is training in coding practices. "When we find a vulnerability or something in a pen test, we can help fix those things rather than just throwing them over the wall."
- Make the right way the easiest way. It should be easier for a developer to do something securely than to do it insecurely.
"We can't roll out our 'mission accomplished' banner on any of this," Czaplewski added. "But it's our North Star, and we're really vocal about it with our developer community."
DevSecOps culture in action
To uphold these psychological contracts, Target's AppSec team had to make some changes on the ground. "We used to send developers tons of emails, lots of spreadsheets and a whole bunch of PDFs," Czaplewski said. "We'd say, 'Here's what the pen testing team found; here are your deadlines; get to work.'"
But, from a developer's perspective, synthesizing and prioritizing that information was frustrating and difficult -- a psychological contract violation.
In response, Czaplewski's team created a centralized system it calls Product Intelligence, which generates a security score for each software product and acts as a one-stop shop for actionable DevSecOps data.
"The scoring is consistent across all products at Target, so it's really easy for developers to understand the relative health of their application," Czaplewski said, adding that clarity and transparency is key in creating a healthy DevSecOps culture. "They don't have to trust us -- they can see for themselves."
Scores range from 300 to 850 and are calculated using the following breakdown:
- Findings and vulnerabilities (40%). Are developers closing vulnerabilities on schedule?
- Security services (40%). Are developers using available services -- such as static scanning, software composition analysis and pen testing -- to improve the product's security?
- Security culture (15%). Is the product team's security champion attending relevant meetings and trainings? Are developers performing measurable security-related behaviors, such as completing annual product security trainings, reporting phishing simulation emails, etc.?
- Security incidents (5%). Has the product caused a security event in the past six months?
Importantly, the Product Intelligence system also shows developers a prioritized to-do list for improving a product's security score. "They don't need to know how to sift through the information and decide if it's better to close this vulnerability or that one," Czaplewski said. "We outline it for them, and they can see how many points their score will go up if they take the right action."