@Chris Reed I would offer to get an understanding of a security framework first NIST/CIS, then you can get into the secure by design model which many organizations like Google has been doing for some time, DoD. The dev and ops were more popular portions it’s just now cause of the cyber landscape that federal and large organizations are requiring it to be part of the fabric. Our experience incorporating a secure by design was getting an understanding of the security frameworks, we picked a few to focus on, we used dev/stage to build the DevSecOps pipelines, we scanned code, we invested in SAST/DAST and where trained on what to look for now our development family reference the framework when they are building anything and it has become part of the development process. It was hard for a few and some pushed back as it was incorporating another domains model into something they where not familiar with but time heals all things.