DevSecOps at Conversica: From Fragile to Fortified

The Wins — A Five-Year Transformation

I had committed to 5 years, and even though I didn’t envision it taking as long as it did, we finally achieved most of what we originally set out to accomplish back in October 2019.

Here’s a refined version of that paragraph for sharper tone and clarity:

When I stepped in during 2019, DevOps at Conversica was more of a patchwork than a practice. Releases were unreliable, compliance felt like overhead, and security—when addressed—was often an afterthought. The cloud infrastructure technically worked, but it was architected for availability, not resilience. It was sufficient for SMB customers willing to tolerate latency and fragility, but wholly unfit for the demands of enterprise scale. There was no systemic rigor, no clear visibility, and—most critically—no confidence that our platform could carry the weight of a modern, up-market strategy. That had to change. Immediately.

But transformation doesn’t begin with tools. It begins with people.

The first critical inflection point came when I recruited Chris Collins, a trusted former partner from our Janrain days. Chris didn’t just bring elite SRE and DevSecOps skills—he brought leadership, calm under pressure, and the ability to instill confidence in engineering and the business alike. He rebuilt the foundation. He turned chaos into cadence. He made resilience a habit.

We didn’t stop there.

After Chris stabilized the core, we brought in another battle-tested veteran: Josh Willhite. Josh is the best of the best. Where Chris built trust, Josh built scale. They both understood what it meant to provide 99.999% availability and serve the F100. Josh took our maturing cloud operations and re-architected them for speed, security, and enterprise-grade automation. Under his leadership, infrastructure didn’t just become a service layer—it became a competitive advantage.

Together, they transformed Conversica’s cloud operations into a secure, scalable, and strategic platform. Here’s what changed:

• CI/CD Maturity: Fully automated pipelines with security scanning (SAST/DAST) and integrated secrets management.
• Infrastructure as Code: Standardized, version-controlled, and repeatable environments—reducing human error and improving rollback.
• DevSecOps Mindset: Security became a shared responsibility. From access controls to runtime hardening, every commit came armored.
• Observability: We monitored MTTR, deployment frequency, and security posture in real time—turning insight into iteration.
• Audit-Ready by Default: SOC2, GDPR, and enterprise security reviews weren’t sprints—they were built into the platform.

Most importantly, security wasn’t the thing that slowed us down. It was the thing that let us move faster—confidently, and at scale.

The Losses — Lessons in the Hard Way

We didn’t get here overnight. Our early days were marked by classic anti-patterns:

• Tool Overload: We threw scanners and dashboards at the problem, but lacked unified visibility or prioritization.
• Reactive Posture: Incidents were dealt with after the fact. There was little threat modeling, and no clear playbooks.
• Dev/Sec Tension: Engineers viewed security as blockers. Security lacked the bandwidth to be embedded early.
• False Positives & Fatigue: Rigid build-breaking policies on low-risk issues created alert fatigue and distrust.

The result? Security wasn’t enabling us—it was frustrating us. Features shipped without clear threat assessments. Incidents were triaged with fingers crossed. Technical debt piled up in corners of the infrastructure that no one truly owned.

But here’s what we learned: you can’t retrofit trust. You have to engineer it—early, often, and by design.

Advice From One CEO to Another — Leading DevSecOps in Enterprise AI

1. Hire Builders, Not Maintainers
   The right leadership changes everything. Chris and Josh didn’t just fix what was broken—they built what was missing.
2. Shift Security Left—But Not Rigidly
   Integrate security early in the pipeline, but focus on signal over noise. If your tools slow devs down, they’ll be ignored.
3. Make Security a Business KPI
   Track MTTR. Celebrate zero-incident quarters. Tie platform stability to NPS, renewals, and ARR.
4. Treat Culture as Infrastructure
   Build a blameless, metrics-driven, cross-functional environment. DevSecOps isn’t a team—it’s a way of operating.
5. Invest in Reusability, Not Firefighting
   IaC, runbooks, automated recovery—this is how you scale without multiplying headcount.

Conclusion — The Silent Power Behind the Platform

By mid-2025, DevSecOps at Conversica wasn’t just an operational function. It was an enabler. A differentiator. A moat.

We scaled faster because our platform could handle it. We won enterprise deals because our security story earned trust. We delivered confidently because every team—from Product to CS—knew our infrastructure had their back.

Chris Collins gave us the foundation. Josh Willhite gave us the lift. And together, they turned Cloud Operations from a cost center into a launchpad.

In the age of AI, you don’t just need to move fast—you need to move fearlessly. Conversica built a platform where every deploy is a vote of confidence, and every commit is battle-ready. This isn’t just DevSecOps. It’s cloud courage at scale.