For those implementing DevSecOps, what’s your biggest hurdle?

We’re working on secure development at Sky Solution and finding that integrating security into CI/CD requires a mindset shift for some teams. Any best practices you’d share?