This week, Carolyn is joined again by Bob Stevens, AVP Public Sector at GitLab, this time to talk about the power of hyperautomation. Listen in as Carolyn learns what can be gained through fast, accurate application security.
Carolyn: I'm excited to welcome back Bob Stevens, Area Vice President of Public Sector at GitLab. Bob is a seasoned veteran in public sector technology with over 36 years of experience.
As the AVP at GitLab, he is responsible for helping government organizations become more productive, efficient, and effective. Bob has experience on both the industry and the government side of things. Prior to industry, he served in the United States Air Force as a computer specialist at the White House Communications Agency.
Today, we are going to talk about artificial intelligence, machine learning, and what hyperautomation is exactly. Why Bob thinks it will be 2022's biggest trend. Bob, welcome back to Tech Transforms.
Bob: I'm happy to be here. Thank you. Appreciate it.
Carolyn: I'd like to talk about an episode that you just did with GovExec Daily. And on this episode, you mentioned that hyperautomation will be 2022's biggest trend. I'm going to be honest. I haven't really heard hyperautomation. And I get automation. I can deduce what hyperautomation is, but I would love for you to explain it to me. What's the difference between automation, hyperautomation, DevOps, all of that?
Bob: Yes, I mean, it's the strict definition of the word.
It's rapidly identifying, vetting in automated processes in order to produce whatever it is that you're working on as fast as you possibly can. And it trends today because if you think about the government space, they have a lot of compliance issues that they need to deal with.
Bob: If they can automate those compliance processes and ensure that when they build software, in the end it's going to be compliant and they don't have to go back and vet it. I mean, that's going to save them a world of time.
Carolyn: Are you talking about missed compliances, automating some of those missed controls? There's 300 of them, I think.
Bob: Yes, those. I think you're talking about FedRAMP.
Carolyn: Yes. One of. Or authority to operate has all of those. Right? I mean, I don't know all the details.
Bob: Yes, no. There's the STIGs. That the government has to put all software through and that's all about compliance. The government has to get the authority to operate, ATOs, for everything that they run.
Carolyn: And renew them every two or three years.
Bob: Or sooner. It depends on how much of a change occurred in the application. If you can hyperautomate all of that by the use of AI or machine learning. Again, and so by the time you produced that software, all those compliance issues are addressed. You know they're addressed because you've got confidence in the system and the way that it was done. It didn't require as little human intervention as possible, which is unfortunately, where some mistakes are injected.
Then you've saved a world of time and you've made life really, really easy for the folks that are doing the development. As well as the folks that are using the applications in the end. Because they don't have to sit and wait to get the authority to operate, which sometimes can take a year.
Carolyn: Is the differentiator between automation, DevOps, and hyperautomation really adding in, automating those compliances? And are you telling me that that hasn't happened before now?
Bob: Unfortunately, it has not happened. I mean, that's evident by the fact that the government still has to produce ATOs and they still are doing STIGs at the end of the development cycle. Unfortunately, it hasn't happened.
I think the government will embrace it and has started to embrace it. And therefore, will embrace hyperautomation, otherwise referred to as DevOps automation. Because it's really during the DevOps process that all that automation occurs. But it is going to continue to have focus.
Compliance is just one area. Security is another one. If I can ensure that when I'm done with my software development, it's free of vulnerability or known vulnerabilities. Then again, the developers can help the security folks be more supportive of those applications and getting them out to users faster, rather than having to put them through some other processes or manual processes in the end. Hyperautomation, it's not going to go anywhere. It's only going to build and become more important for everybody.
Carolyn: What's made it a thing now? First, my head's still spinning that we haven't automated a lot of these controls. But what's made it a thing now? Are there new tools coming online or did somebody just go, "Oh, you know what would be a good idea?"
Bob: It's a combination of both. It's the collision of DevOps with compliance built-in. Just having the ability to do that. This gets back to what we spoke about last time, which is the building of a platform, where all 10 aspects of the development life cycle are incorporated into one platform.
Bob: And now I can start to include things, like ensuring that code is vulnerability-free when it's complete. Ensuring that I've met all compliance requirements during the process, rather than waiting till the end and doing all the tests. It's a combination of both. It's new tools, new capabilities, as well as the fact that somebody said, "Hey, wouldn't it be a great idea to combine these?"
Carolyn: Yes. Right. Why haven't we been doing this in like forever? Are there any misconceptions about how hyperautomation can be used?
Bob: Well, I'd love to say that it's going to be the end-all, be all for everything, but it's not. It never is. And they'll always require some manual intervention at some point or some additional thought that needs to be required. But that just means we get to continue to iterate on it, which is part of the GitLab culture. We put things out in small batches and then we iterate them in order to get them closer to perfection. Rather than wait for perfection before we introduce whatever it is that we're working on.
Carolyn: I think you already kind of answered this, but is there a point where DevOps and hyperautomation overlap? Are they kind of the same thing? Are they two sites? How do they work together?
Bob: Yes. I think there's overlap, which is why I was saying that it's also referred to as DevOps automation.
Carolyn: Yes. It is the same thing, kind of?
Carolyn: Okay. You did the interview just this February of 2022 with GovExec Daily. Do you think much has changed in hyperautomation, just even in the last two to three months?
Bob: I think it has. I can tell you just from a GitLab perspective, you can now use our tool for some of those compliance, automated compliance processes that we talked about.
Carolyn: What kind of lift is that to get, for example, GitLab to make it so the government will accept that automation?
Bob: Yes. That's a good question. You know what? I have not been through that process yet.
Carolyn: But I would imagine you got to do an ATO kind of process on the automation side, so the government can accept it. Right?
Bob: Yes, no, that's true. I mean, they take our software and put it through the ATO process. What tool could you use to put ours through that would give us an ATO in the end? It's to your stacking tools, upon tools, upon tools.
Carolyn: Yes. Or maybe it's just eyeballs on it saying, "Yes, this works."
Bob: Yes. Again, back to our culture. I mean, transparency is key and we're going to be 100% transparent with the government or any entity that uses our technology. And we're going to show them exactly what's happening under the covers so that they're fully aware and can make their assessments.
I already know the government is embracing. Just as an example. I mean, they're required to produce a software bill of materials in the end. Because a developer can pull libraries from anywhere, it's important to build that software bill of materials in order to assure compliance. Well, our tool will build it for you.
Bob: We'll tell you where all those libraries were pulled from and produce the list. So that you don't have to go back or keep track or do some sort of manual process. I can tell you the government has embraced that. I mean, they want that to be an automated process. They don't want somebody going back through what could be hundreds of thousands of lines of code to figure out where did it actually come from?
Carolyn: Yes. I mean, talk about a security risk, to not know everything that was involved in building it. And then I would imagine, if you've got a tool that builds your SBOM, it's got to be aware as things get updated. The next version of the software, that's part of it.
Bob: Yes. I mean, that's where AI and machine learning really play a major part. Because you're right. We've got to know about every library that can be discovered out there and was written.
Carolyn: My chief technologist, Willie Hicks, likes to correct me when I interchange machine learning and AI. Is one used as part of this process more than the other? Do they both have their place? Because you've mentioned both, machine learning and AI.
Bob: Yes. I mention them because they're part of hyperautomation. I'm not going to tell you I'm an expert on either one of them. And of course, they can often have different definitions or be used interchangeably. I think to answer your question, I'm going to say it depends. Depends on who you're talking to at that particular time.
Carolyn: That makes sense. Well, we are coming up against time again. I'm going to thank you for your time. But before I let you go, I want to throw some more tech talk questions at you. I won't give you the same tech talk questions that we did last time. Let's go with books. Who was the author that you mentioned last time?
Bob: James Patterson.
Carolyn: Okay. Do you like Tom Clancy too? Sorry. He makes me think of Tom Clancy.
Bob: I have read Tom Clancy. Honestly, he uses too many words, so I don't read.
Carolyn: Right? You can skip a whole chapter and not miss the story. But okay, good. On the same page there. But do you have a favorite genre of books? Is it thriller?
Bob: Well, it is the criminal thrillers. Those are interesting to me because I guess, maybe that's the way my mind works. I'm trying to figure out what the end is long before I get to the end. I think that's what engages me quickly. I also like any leadership book that can help you be better.
Carolyn: Do you have a favorite or some favorites?
Bob: Yes. One of my favorites is Malcolm Gladwell’s Blink. I know people like to go to his Tipping Point, but I think Blink is the best one. Blink is really all about you trusting your gut. Because if you've done something for long enough, you're an expert. Therefore, you should trust your instincts. And I don't think that happens all the time. I think people question themselves and others. And I just think that book does a really good job of leading you towards trusting you.
Carolyn: Yes, I agree. I mean, I think that we have an intuition. That intuition gets a bad rap. That it's not knowledge, but it is. It's knowledge that we've built up over the years that I think we can respond to faster than our neat computers that sit on top of our shoulders can compute. We've got that knowledge somewhere that we've gained over the years. And maybe it is even encoded into us through centuries of our ancestors learning to run from the bear.
Bob: Yes. I've heard. For me, it's wisdom. That's what we've gained is wisdom.
Carolyn: Yes. There we go. That's a better word.
We need to trust that wisdom. We also need to impart that wisdom. That's part of our responsibility to our coworkers or our families, friends, whatever, whoever it is that you're engaged with.
Carolyn: Well, great. You've inspired me to go back and revisit Blink because it's been a while. Well, Bob, thanks again for joining us and taking the time to share some insights with our listeners.
Listeners, thanks for joining us. Please be sure to visit the website for the show notes and references that Bob made. We also want to thank our sponsors Dynatrace. Visit dynatrace.com to learn more about how you can literally transform faster, smarter, and easier. Please share and like this episode.