Taking a team that is used to doing something one way, and instilling an Agile mindset
and embracing enterprise DevOps will not happen overnight. In fact, it probably will not happen even two or three months later since there are thought processes and working habits that will need to be changed. They should not fight their way through this because this will only increase animosity, hatred, and resentment towards them and they will become increasingly frustrated themselves as well.
A good service provider will sit down with you to have a pow-wow and agree on expectations. When drafting the statement of work with the provider, they need to understand that patients will be necessary and things will probably not run as smoothly as they think and account for all of this. In many situations, an open-source tool, that they may feel is obvious, can take months to adopt. Ask the service provider questions such as how this change will affect DevOps security. What will the change management processes look like? Who will be the business owner and the technical owner?
Speaking of security, there are not a whole lot of DevOps consulting firms who are focused on security from the very beginning, yet security is a key part of the DevOps methodology.
Back in the day, security was the responsibility of an isolated team at the last stage of development. This was not such a big problem when the development cycle lasted for months or even years, but those days are long gone.
A good DevOps outsourcing
provider will get security teams involved from the very beginning and create a plan for security automation. This includes determining the risk tolerance
and performing a risk/benefit analysis
to determine the security controls necessary inside a given app. Just like with the regular DevOps methodology, DevSecOps also requires automating repetitive tasks because it could take a lot of time to perform security checks manually inside the pipeline.