#Comcast#Technology Leaders Showcase Series#Telecommunications#DevSecOps

Comcast: Introducing DevSecOps & Digital Transformation

Larry Maccherone, Distinguished Engineer of Comcast, shares their agile approach to achieving a DevSecOps Transformation.

As a global leader in media and technology, Comcast is the parent organisation of three primary businesses: Comcast Cable, NBCUniversal, and Sky. Comcast has more than 55 million subscribers, with Sky renowned as one of Europe’s leading entertainment companies operating in seven territories and Comcast Cable recognised as one of the biggest cable TV, high-speed internet, and phone providers in the United States. Sitting down in the new Comcast Technology Centre at its headquarters in Philadelphia, Pennsylvania, Larry Maccherone, Distinguished Engineer of Comcast Cable, shared how the company is uniquely positioned for success in their agile approach to achieving a DevSecOps cultural transformation.  

Maccherone’s professional background heavily revolves around data analytics and Lean-Agile, and he started his first business while still an undergraduate at university. “I’ve been a serial entrepreneur throughout my entire career. My first business had 80 employees and made US$20mn annually in sales,” explains Maccherone. “We were writing software that controlled a large portion of the world’s power generation, and it meant that if hackers exploited a vulnerability in the software, then it potentially brought down the world’s power grid. We got really skilled at writing software that didn’t have exploitable vulnerabilities.”  

Upon joining Comcast in June 2016, Maccherone became responsible for overseeing the company’s DevSecOps transformation. “I have a love/hate relationship with the term DevSecOps. I believe that if you’re doing DevOps right, then the security part is automatically included,” he explains. “You don't call it DevTestOps or DevPlanningOps, it’s just DevOps. However, what I do like about DevSecOps is the emphasis on security. My definition of DevOps and DevSecOps is essentially the same. I define both as empowered engineering teams taking ownership of how their products perform in production, including security. When you get development teams owning the problem, you get a fundamental difference in decision making.” 

Since its creation over a decade ago, DevOps has become a vital component of how companies operate. Building upon the foundations of the agile movement, DevOps leverages automation, for quality and security testing as well as for formerly manual deployment and operations activities, in a bid to introduce software into production at speed. The primary goal of any DevSecOps initiative is to enable development teams to change their mindset and adopt security practices into their daily activities.  

However, Maccherone believes it’s impossible without healthy collaboration and mutual trust. In order to achieve that level of trust, Maccherone introduced a trust algorithm. “The trust formula has three terms combined in the numerator: credibility + reliability + empathy which are all divided by apparent self-interest,” he explains. “It’s important that the apparent self-interest is as small as possible, with an emphasis on shared interests.” Maccherone believes that understanding and embracing each pillar of the trust algorithm is vital to success in DevSecOps. “Credibility means that you know what you’re talking about and it’s important that you’re not just saying things for the sake of it or repeating something you’ve read,” explains Maccherone. “Writing code has changed a lot in five years. DevOps was in its early stages back then and it’s fundamentally different now. If you come into a meeting with those old mindsets, make assumptions and use outdated terminology, then the development team will pick up on that and you’ll lose credibility. Reliability is the same regardless of the context; it’s the old business expectation of making and meeting commitments. It’s important to follow through and do what you say you are going to do. Finally, empathy is all about how much compassion you show, and the awareness of how challenging something is.” 

Following the foundation of the trust algorithm, Maccherone believes that it has successfully allowed for increased efficiency and has ultimately meant better decisions. “Lots of security groups at other large companies spend an inordinate amount of time cajoling development teams to do things,” he says. “The reason they have to spend such a considerable amount of time policing is due to a lack of trust. Showing empathy is crucial and it’s important to acknowledge how difficult something is to do. However, it’s also fundamental to explain why you’re trying to make the case that this risk supersedes all of those challenges and give the reasons why. It’s vital that you aren’t dictating them.” The importance of coaching rather than policing is a key aspect of Comcast’s strategy. The company also has a programme in place that provides immediate feedback to the development team while also providing aggregated metrics to guide coaching efforts. “We created a workshop where we sit down with the development team, walk through the trust formula and the company’s DevSecOps practices and give them a chance to internalise what that practice means,” explains Maccherone. “When someone feels like they’re being forced into out-of-context practices, their natural reaction is to avoid them. That isn’t what we want; we want them to reach out and partner with us.”  

Read Our Digital Report

Click Here to Read


You don't call it DevTestOps or DevPlanningOps, it’s just DevOps. However, what I do like about DevSecOps is the emphasis on security. My definition of DevOps and DevSecOps is essentially the same

Larry Maccherone | Distinguished Engineer, Comcast

Change management is a key driver to Maccherone and Comcast’s strategy. “The traditional way of gathering a response was to produce surveys. However, we found that the behaviour didn't change,” he says. “We decided on a framework that we can coach from and enable the developers to reflect on whether or not they meet the criteria. If we send an email to them then we get almost no response. However, if we sit with them and allow them to ask questions directly then they instantly start changing their behaviour.” With any successful transformation comes the challenge of recruiting and retaining top talent, and Maccherone believes it’s the most challenging part of any business. “It’s the key to any tech company,” affirms Maccherone. “The HR department that we have at Comcast is fantastic. They really understand the importance of exceptional talent. Candidates want to have work that is interesting, fun and challenging, in addition to working with peers they respect.”  

In a bid to achieve mutual success, Comcast Cable has established a number of key partnerships, such as with WhiteSource, Vulcan Cyber, Checkmarx, Go2Group, Contrast Security, Synopsys, Bugcrowd and Veracode. Maccherone recognises the value of forming strategic, business relationships in order to realise long-term success. “We’re at the forefront of DevSecOps, and lots of our vendors see that,” says Maccherone. “We’re constantly searching for vendors that are trying to design their products to fit in with the direction we’re going.” Maccherone believes that without developing such robust and long-standing partnerships, the challenge of reaching the level of success Comcast has achieved would have been significantly harder. “Our vendors are a key to our success and we’re extremely excited and happy with the current set we have,” beams Maccherone. “They align well with our values and that’s been the differentiator to finding ways to reduce our security risk.” 

DevSecOps has become a hot topic in the technology space in recent years and Maccherone has observed its rapid rise first-hand. “Three years ago, I started a Google alert on DevSecOps and would get one hit a week or even a month,” he says. “Now, I get 10-20 every day and we’re not even at the steepest part of the adoption curve for DevSecOps yet.” In 2019, Comcast’s goal was to scale the DevSecOps programme, the tech giant achieved that by tripling the number of teams onboarded to the programme. “By the end of 2020, we aim to double that number again, and I expect that will get us close to the saturation point of all the teams at Comcast. We’ve gone from essentially launching the programme to evolving, optimising and scaling it to the point of saturation. After we reach that saturation point, I anticipate that we’ll add more capability, tools and practices over the next few years.”


Other Companies

HCL Technologies

COVID-19 and Digital Transformation: A HCL Perspective

Read Report
NTT Ltd.

NTT: connectivity with continuity, compliance and security

Read Report
Community Health Network

Driving healthcare innovation through data and analytics

Read Report

T5: Mastering mission critical data center solutions

Read Report
USAF-MIT Artificial Intelligence Accelerator

USAF-MIT AI Accelerator: collaboration for new AI solutions

Read Report

BrokerLink: Embracing digital to clarify insurance

Read Report

Aligned: Putting sustainability at the heart of data management

Read Report

[24]7.ai – CX for a changing world

Read Report

SiteOne’s strategy driven by CX and operational efficiency

Read Report

Saphyre: Sophisticated yet simple pre-trade onboarding

Read Report
Protective Insurance

Protective Insurance: Embracing the art of the possible

Read Report

Nautilus: transforming the data center industry

Read Report
Legacy Community Health Services

Legacy Community Health: digitally enabling patient care

Read Report
Altar'd State

Altar’d State: customer-focused digital transformation

Read Report
Visions Federal Credit Union

Visions Federal Credit Union: Member-Driven Digital Solutions

Read Report
Quontic Bank

Quontic: Defining the culture of a truly digital bank

Read Report

Bell: Digital transformation in cyber security and networks

Read Report
Afore XXI-Banorte

Afore XXI-Banorte: Digital transformation and cultural shift

Read Report

DC BLOX: Connected data centers for edge markets

Read Report
CIG Capital

CIG Capital: Making investment about more than just money

Read Report

Read the latest issue

Click Here to Read