5 DevEx and platform-mindset lessons from BT Group's hybrid cloud journey

When a company with nearly two centuries of history needs to modernize its infrastructure to defend against nation-state actors while meeting new regulatory requirements, the approach matters as much as the technology. BT Group's Security Director for Networking, Christian Schwartz, recently shared their transformation story, offering five key lessons for technical decision-makers navigating similar challenges.

»1. Start with a gateway product

The most successful platform adoptions don't try to solve everything at once. BT Group began its HashiCorp journey strategically, focusing on infrastructure automation before expanding to the broader platform.

"We started off with Terraform because it is just this tool that allows us to create those templates, abstract infrastructure away, make this reusable stuff and create this shared responsibility model within BT between who's taking care of the platform engineering and who's building the apps on top."
— Christian Schwartz, Security Director for Networking, BT Group

HashiCorp Terraform served as what he calls "the gateway product" — providing immediate value through infrastructure as code while establishing the foundation for broader platform adoption. This approach allowed teams to experience the benefits of automation and standardization before committing to a complete platform overhaul.

Key takeaway: Choose an initial tool that delivers clear, measurable value while building the organizational muscle for platform thinking.

»2. Focus on developer experience

Security transformations fail when they create friction for development teams. BT Group's approach centers on the core principle of sustainable adoption.

"I'm a big believer — as I said from the beginning, we want to make the secure way the easy way. You want to raise the security bar but also remove friction and put it to a minimum. Tools like Vault (I spoke about Boundary and EntraID at the leadership track last year, for example) create a frictionless experience for teams who want to either service, configure something, or build an app and deploy an app."
— Christian Schwartz, Security Director for Networking, BT Group

The impact extends beyond convenience to actual security outcomes. By implementing HashiCorp Vault for secrets management with automatic rotation, they fundamentally changed their security posture. Making secrets short-lived and using workflows that remove the need for credentials altogether make it very hard for attackers to steal credentials or use them long enough to cause harm.

But it all starts with making security-by-default feel invisible and effortless to the developer when they use platform workflows.

Key takeaway: Security improvements that reduce developer friction will be adopted faster and maintained longer than those that create additional complexity.

»3. Embrace platform thinking

BT Group operates one of the most complex infrastructure environments imaginable — managing VM-first environments, Kubernetes clusters, Nomad deployments, and more across a hybrid cloud with multiple providers. Their solution was abstraction with a platform mindset.

The platform team built abstracted workflows in order to just be able to say, ‘Just develop your service, and based on your configurations, the platform will decide which environment is best for it.’ Developers don’t have to worry whether it runs on a Kubernetes cluster or whether it should run in a private cloud or public cloud. The templates and modules will help developers use the best security configurations and the most efficient infrastructure for their application.

This platform approach reduces cognitive load so teams can focus on business value rather than infrastructure specifics. The result is a model where security and compliance become built-in characteristics rather than afterthoughts.

Key takeaway: Platform thinking means abstracting complexity away from users, letting platform engineers and other stakeholders manage the complexity with well-planned automation and templates.

»4. Standardize across environments

Rather than attempting to standardize their diverse infrastructure environments, BT Group standardized its interaction model across all environments using HashiCorp's integrated platform.

"If you use the whole chain of HashiCorp tooling, you can actually abstract away all of the underlying platforms. It's about simplification, it's about abstracting away what you have underneath, it's about focusing on building your ‘hello world’ and deploying it in the most efficient way with best practices built in."
— Christian Schwartz, Security Director for Networking, BT Group

This approach enabled what Christian describes as an “API-first and not necessarily an opinionated view of where you should deploy.” Teams build for an abstracted environment rather than specific cloud providers, gaining portability and fine-grained control without vendor lock-in.

Key takeaway: Standardize developer interfaces so that you can work with non-standard, diverse infrastructure. Provide flexibility for configuration entry fields while including built-in security and compliance guardrails for all deployments.

»5. Plan for the future

While addressing immediate operational needs, BT Group simultaneously prepares for longer-term challenges that many organizations haven't yet considered. “We need to keep in mind that, certainly for big and complex companies such as ourselves, it takes about 10 years to switch crypto[graphy],” Christian said. He cites the emergence of quantum computing attacks as a major threat to every industry, and emphasizes the need to start preparing now.

Their approach includes implementing Software Bill of Materials (SBOM) and Crypto Bill of Materials capabilities, along with supply chain security validation using standards like Google SLSA. These investments in observability and validation create the foundation for future transitions while improving the current security posture.

Key takeaway: Architecture decisions made today should account for challenges that may emerge 5-10 years from now, especially in cryptography and supply chain security. Read about HashiCorp’s plans for NIST’s quantum cryptography standards.

»The platform advantage

BT Group's experience illustrates how navigating hybrid cloud in a highly regulated industry requires process and culture change, and it also requires technology stacks that can nudge your teams toward best practices.

By starting with a gateway product, focusing on developer experience, embracing platform thinking, standardizing interfaces rather than infrastructure, and planning for future challenges, they've positioned themselves to handle both current operational demands and emerging threats.

A platform approach:

• Reduces security toil
• Gives developers precise feedback
• Aligns environments with code

As Christian summarized: “It becomes all design patterns and reusability, best practices, secure-by-design, secure-by-default, simplification, reduction of cognitive load.”

To learn more about how HashiCorp can help you achieve the platform engineering outcomes that can drive your hybrid environments into the future, check out: Deliver innovation at scale with The Infrastructure Cloud.

Watch Christian’s full interview session below: