When psychologist Abraham Maslow came up with his hierarchy of needs pyramid in the 1940s, he probably didn’t know what a behemoth he was creating. Those five simple stages were a baseline that applied to so much more than individuals. That’s especially true when we think about software and the human-centric processes we use in its creation. There is a Maslow’s hierarchy to DevSecOps that organizations can use to drive success. 

This is even more important given world events. Resignations are at record highs, the supply chain is in the midst of unprecedented upheaval, and the need for digital transformation has never been so prevalent. Organizations that focus on their EX and CX will be the ones to come out on top. That’s why Maslow’s hierarchy is just as important today as it was 80 years ago. It can help guide and develop a better employee and customer experience. 

Applying Maslow’s Hierarchy to DevSecOps

Maslow established the five-tier system to categorize the basic needs of human beings (physiological, safety, love, esteem, and self-actualization) and how they rely on each other. A person must meet the needs in one stage before moving on to another.  

For example, a person starving to death would not be capable of weighing the morality of stealing food from someone else. They’d be driven only by the desire to get that most basic need met. As those needs are met, new priorities are established that allow a person to reach actualization. 

DevSecOps is the same way. An organization that does not have its most basic needs met can’t match the enterprise version of actualization, where the goal is often digital transformation. However, there’s a reason that 70% of these projects fail. The organization embarking on them has not met their DevSecOps Maslow’s hierarchy. 

Much like Maslow’s hierarchy, this pyramid only explains the need. It doesn’t cover how an organization gets there or what happens when it does.        

Applying Maslow’s Hierarchy to DevSecOps

It’s not difficult to apply Maslow’s hierarchy to DevSecOps processes because they’re both layered models designed to drive actualization. Organizations set themselves up to become competitive leaders by reaching the actualization stage. However, to get there, they have to tackle the basics.  

Physiological – SDLC Basics

This is the DevSecOps baseline. The business is in rapid development or shifting from proof of concept to GTM scaling. They may even be using a 3rd party prototype to develop software. They’re likely moving to source control, establishing a proper cadence of meetings, and trying out project management methodologies like Kanban, Scrums, and agile development. Mainly, they’re covering all those software development lifecycle (SDLC) basics.  

In 2015, chemical company Linde was in this situation. It had in-house development but minimal process control. As a result, developers faced slow-release schedules, unclear policies and procedures, and frequent errors. By establishing a strategic multi-year roadmap, along with end-to-end development transparency, Linde set a new DevOps baseline that supported 13x more releases by 2020.

Safety – CI/CD Pipeline

With the basics in place, it’s time to test-drive methodologies that focus on robust automation and embedded security. There are a lot of organizations that start to implement these best practices on day one. However, most adopt this as the business grows. This is the DevSecOps safety stage of Maslow’s hierarchy. Enterprises built these checks and balances into their CI/CD pipeline to ensure secure development that flows for the life of the software. 

GitHub is a great example when it comes to CI/CD integration. The company builds it into its core platform to manage code shipment and support the automation of time-consuming tasks. Strategies like these can cut time to merge by a third, GitHub reports, while frequent testing ensures it’s more secure.  

Love – Culture

The obvious DevSecOps counterpart to love in Maslow’s hierarchy is culture. DevSecOps cannot thrive unless there’s buy-in at an enterprise level. To gain that, the organization must have a culture that is:

  • Trustworthy: A trustworthy culture is one that is transparent. Leaders ask questions and are not afraid to reverse course on decisions as they learn new information.
  • Regenerative: A regenerative culture is one that is built for change. Individuals are constantly growing and changing in their roles.
  • Blameless: The key to accountability is making it ok to admit there is a problem rather than looking for someone to blame. People take accountability when they know they won’t become a scapegoat for shining the light on an issue. 

Culture is also vital for effective data practices and safety, as individuals will be more likely to adhere to security standards if they understand their purpose. It can also drive retention and innovation. 

The Lifetime Value Company is a great example of a tech firm that tackled the love component of Maslow’s DevSecOps. Named one of the top companies to work for in the nation, LTV touts a culture of “excellence through mentorship, the collective ownership of success, and the flexibility.” As other companies struggle to retain developers, LTV has doubled the size of its workforce. Meanwhile, it puts out best-in-class products while dealing with highly sensitive consumer data. 

Esteem – Stability

By the time it reaches esteem, the business has its internal practices down. However, now it has to worry about external-facing issues like compliance. In Maslow’s hierarchy, the human component is esteem. For enterprises, it’s similar as it ties to reputation.

These leaders are taking on compliance with programs like the Federal Information Security Modernization Act and the American Institute of CPAs (AICPA)’s Service Organization Control reporting platform. They may be following the National Institute of Standards and Technology frameworks or embedding requirements under the General Data Protection Regulation for their European Union customers. Regardless of what program they follow, enterprises have found a way to embed regulations, restrictions, and development best practices into their very core.

Actualization  

There’s no universal definition of what actualization means for a business. For many, it points to a successful digital transformation. For others, it’s about the next level of automation, leveraging AIOps, or artificial intelligence for IT operations. Whatever the goal, the enterprise is capable of rapidly innovating complex products.

It’s where we see industry leaders that have robust in-house development teams that can focus on big-picture ideas. Their developers have the necessary foundation and tools to innovate — the employee experience is strong. It’s this type of enterprise that’s poised to compete in tumultuous markets like the one we face now.