It's a cliche that the biggest blocker to DevSecOps adoption is 'culture', which is shorthand for an impenetrable mass of people-y challenges. But in this talk I'll tackle a very concrete case: unicorn culture.

In moving away from skill-centric and inert silos and towards cloud-native architectures, we often seem to end up dependent on a small cluster of highly skilled super-engineers. These rare, senior, and hugely adaptable individuals can each deliver the same expertise and quality as a 100-strong IT organisation.

But of course, there's not many of them. So we fight over them, overload them, and push them to take on broader and broader responsibilities. Sometimes they are infrastructure architects who are also best in class software engineers; sometimes they are appsec specialists who also know 16 different cloud platforms and eat firewalls for breakfast.

I like to call these people 'unicorns', because they're semi-mythological, implicitly priceless, and attempts to create more of them usually fail. Above all, relying on unicorns to build a DevSecOps capability is a bad idea.

In this talk I'll explore the common problems caused by reliance on different breeds of unicorn in DevSecOps, and present some ways we can escape this common cultural trap.