ChefConf 2016: Lessons Learned
By Annie Hedgpeth · July 15, 2016
ChefConf 2016: Lessons Learned

I was so thrilled this week to be able to attend ChefConf 2016! There were so many cool things about the week that got me super excited about the coming year. But also, there were things that made me excited about the future of the industry and how I can be a meaningful part of it.

First of all, let me just say that I was a little hesitant about going. I’m new to the industry, and I do not know everything about everything. But something I learned while I was there is that no one does! All it takes is a willingness and drive to learn more and more each day. That’s all anyone is doing.

Chef Conf

For those that are new to technology, the feeling that everyone knows infinitely more than you can be really daunting. It’s tempting for it to feel a bit insurmountable, but I remind myself, and you, that all we can do is keep forward momentum going and we’re solid.

So the reasons that I went were varied. And many of my reasons can be better informed by my last blog post.

  1. I wanted to listen for the DevOpsSec-cultural issues surrounded involving security.
  2. I wanted to get a feel for where security fits into devops overall.
  3. I wanted to have my suspicions validated as to where security is headed.
  4. I wanted to get a larger perspective for the industry to validate where I’m headed with my career.

DevOpsSec

On the first day of ChefConf I attended the Community Summit which was a big open space format discussion. So whoever wishes to, suggests a topic, and then everyone votes for what to discuss. I suggested that we discuss security and compliance and the issues surrounding getting that included into the pipeline. I honestly thought it was going to be a hot topic—high hopes.

Turns out no one cared—well, seven people cared. But still. I was surprised. I thought it was a bigger deal than was communicated by the lack of votes. Still, I wasn’t discouraged but rather spurred on to spread the good news of Compliance.

As the week progressed, however, I found that it was definitely a topic that was of concern at a higher organizational level. Large enterprises are noting security and compliance as a bottleneck and are pushing for improvement. Therefore, those in leadership see a deeper focus on security automation as a very great opportunity for improvement.

At 10:12, Barry Crist addresses this topic so well that I would have sworn he read my last post. At 13:33 he specifically addresses Compliance. Turns out he’s been on the same journey of discovery! How encouraging is that!

Fitting In

So I was interested to see how security and compliance were fitting into devops overall. DevOpsSec or DevSecOps or whatever you want to call it, has been a thing for a while now, but is security really as integrated as it needs to be into the ethos of devops strategies within organizations—not just up top but with your engineers, developers, sysadmins, architects, etc.? Short answer, I’ve found, is that it depends on the organization. Some have really embraced the challenge and have started doing it quite well, like Optum and NCR, and are becoming shining examples for others to emulate.

For others, however, it seems like it’s still the stereotypical nuisance that is getting tacked on to the end of production. That just tells me that there is still a lot of growth to happen and a lot of room for more education and change.

Where Security is Headed

That said, it looks like dev and ops folks will come on board soon enough because companies are asking for it, leadership is pushing for it, and security automation is becoming more obviously necessary.

Feels good, too, because it seems like I’m on track.

Odie Routh Speaking at ChefConf

Where I’m Headed

With all of that, it made me feel pretty good about the choice that I’m making to be more focused on security automation for a career start. I still think it’s an interesting problem to tackle, and even while I was there at ChefConf, I enjoyed getting people together to discuss the issues surrounding putting the Sec in DevOpsSec while I was there. It’s a multifaceted issue that will take some finesse within each organization to unravel. So I hope to start unraveling soon!