Unicorns: They sound too good to be true. But in this article, we’ll define DevSecOps unicorns and share why you should seek them out. 

Executive Summary

CFOs and HR look at headcounts and pay scales, but top hiring managers know that particularly talented individuals with rare combinations of skills can have outsized impacts on their organizations.

These people are hard to find, so they’re often referred to as “unicorns.”

In this article, we'll examine what we mean by the DevSecOps unicorn, explain why they’re important, and show how to find them and justify their cost.

Defining Unicorns

Background

In Stratascale’s research on zero trust, contributors highlighted the importance of unicorns for driving success in application development and modernization.

As Michael O’Neil summarizes,

“Build your unicorn ranks. One group member with a background in DevOps called on ZT applications managers to identify, hire, and retain ‘that unicorn – the application architect who has the mindset and knowledge to produce secure code – who can bridge security, risk, and DevOps’.”

Unicorns are talented individuals who possess both depth and breadth in their traits and skills. They come in many shapes and sizes, but in this article, we focus on unicorns who can lead the charge in DevSecOps for their enterprises.

Skills

Although it’s possible to speak of the “DevSecOps unicorn” as a general concept, in practice each unicorn brings their own unique combination of skills. Stratascale suggests that hiring managers be on the lookout for candidates with depth and breadth in a combination of any of the following skills:

The unicorn and their vast skillset can:

Help reduce administrative overhead. The unicorn’s breadth and depth of skills help collapse and simplify the value stream. Because a unicorn combines multiple skills within one person, they can complete end-to-end work that might otherwise require a small team with a ton of back-and-forth handoffs.

For example, a unicorn might be able to:

• Identify a valuable new feature.
• Determine how it should fit within the application architecture.
• Code that feature.
• Create a test script for it.
• Update the documentation.
• Prepare and present a training session to the team.

This means wearing the many hats of:

• Product manager.
• Developer.
• Quality assurance (QA) engineer.
• Technical writer.
• Corporate trainer.

The unicorn has collapsed all the communication, hand-offs, and queues that a functionally siloed organization requires.

Know when they don’t have the answers and know how and when to ask for help. Because unicorns have broad knowledge across a number of areas, it’s quicker and easier for them to determine when they’re out of their depth. They are less likely to spin their wheels when they get stuck working on something, and therefore they’re less likely to waste time. Unicorns often combine broad knowledge with drawing the right connections. This makes it easier for them to identify the most appropriate collaborators to complement their skillsets.

Bring a curious mindset for continuous learning. Once a unicorn hones one skill, their curious nature drives them to want to learn—and eventually master—another. The unicorn is not satisfied with doing the same thing day in and day out. They find fulfillment in learning from colleagues, completing certifications, and attending conferences and other external training opportunities.

Traits

Traits are inherent qualities that the unicorn possesses. DevSecOps unicorns:

Have a security mindset.

Unicorns use empathy to put themselves in the mind of cyber attackers, have a natural curiosity, and enjoy puzzles. They write secure code because they prioritize quality over throughput.

Joseph Karpenko, Stratascale’s Field Chief Information Security Officer, says, “Part of being a DevSecOps unicorn is having a curious mindset, continuously learning and improving hard and soft skills, and understanding why you want to code securely and why you want to validate software packages from open source.”

Unsecure code is detrimental—in fact, the US Department of Homeland Security found that 90% of reported security incidents stem from “exploits against defects in the design or code of software.” Unicorns can prevent such incidents with their adherence to security best practices.

Review code with devotion.

Unicorns take code review seriously and go the extra mile during this process. They see code review as an opportunity to add more value to their organization, not just through improving the code in front of them, but also through the mentorship and learning opportunities for the team member whose code they are reviewing.

Never lose sight of the end-to-end value stream.

A unicorn is keenly aware of the overall, end-to-end value stream that includes people, process, and technology. They know that maximizing productivity and quality requires a solid development environment that includes complete automation and end-to-end integrated security tooling.

This awareness of the end-to-end value stream leads the unicorn to adopt an “everything as code” mindset. In the words of Dennis Allen, Stratascale’s Director of Security Programs, “A true DevSecOps unicorn sees everything as code—from writing agile and lightweight threat models in code, rapid risk assessments using markup, and even generating documentation from code. It’s all iterative, test-driven, version-controlled code.”

Embrace failure.

If improvements were easy to make, they’d have already been made. Innovation is messy and requires risk-taking, iterations, and failures. Unicorns understand this. As Allen says, “the ability to think outside the box, try an idea, fail, and then keep going on to the next idea is part of the unicorn’s DNA.”

Unicorns embrace failures to generate learnings and improvements for themselves, their team, and the broader organization.

Develop people too.

Unicorns possess a passion for sharing knowledge and seeing others grow and succeed. Karpenko says, “Unicorns should not only have the qualities of a developer who lives by security best practices, but also the ability to see underutilized talent in others and the desire to develop that talent.”

Unicorns are leaders—they beget more unicorns by fostering the talent and potential of those around them.

Influence the culture around them.

Unicorns also possess a desire for continuous improvement. In The Effective Executive, Peter Drucker explains that the executive mindset includes a focus on “outward contribution.” Instead of just following orders and writing code, unicorns think about the bigger picture: They ask how they can contribute to the broader organization and developer community as a whole.

Karpenko describes the long-term benefit of the unicorn’s natural leadership trait: “Unicorns influence those around them, change their mindset, their behavior, and the culture.”

Karpenko continues, “At some point, the unicorn may leave your organization and that's fine. That’s good, actually, because then they may be able to go somewhere else and improve the culture there. So you end up with a kind of a community ecosystem that just spreads. You start upskilling and changing the mindsets of more and more people. As a business, you hate to see them go. But as a community of software development, you like to see it, because things become better for everyone.”

The Unicorn’s Value

They’re expensive to hire

Hiring managers could likely hire three employees for the same price as one unicorn. But in many cases, opting to hire the larger number of less expensive employees would yield a lower return on investment (ROI) for the organization.

Because the unicorn writes secure, quality code on the first try, all while fostering future unicorns and influencing the entire organization’s culture, they significantly reduce administrative overhead. They get things done more efficiently and reduce the risk of costly errors, vulnerabilities, and security incidents.

They’re expensive to replace

Pay should be based on how hard it is to replace an individual, and unicorns are far harder to replace because they’re so rare.

Finding another unicorn with the particular distribution of skills and traits your organization needs is exponentially more difficult (and expensive), because it requires that:

• They possess that skill or trait.
• They have depth in that area.
• They have the right mixture of skills and traits you’re looking for.

This can severely limit your pool of candidates who fit the bill.

Summary

With digital transformation at the forefront of every organization’s agenda, the ability to quickly and securely create, test, deploy, and monitor code in production is increasingly becoming standard practice. Hiring managers should look to attract and retain unicorns that will drive the transformation necessary for the success of their DevSecOps programs.

Talk to a Stratascale expert about DevSecOps.