Similarly, security groups believe that policy enforcement is their biggest (only?) lever... "If we can just update the policies to be more consumable/relevant/context aware/etc and get developers to pay attention, then magic will happen." But, policy enforcement rarely moves the needle and it creates a tense relationship between development and security that can do more harm than good.
This talk is a step-by-step framework for going from wherever you are now to getting on the path of DevSecOps cultural transformation. It addresses the mindset shift concerns for all relevant audiences. It addresses the mechanics of getting started and tracking progress. It's adaptable to any environment regardless of industry, technology, or maturity. Most importantly it's been proven in a highly diverse environment at Comcast.