The Power of Combining DevSecOps with Value Stream Management

Transcript

1. THE POWER OF COMBINING DEVSECOPS WITH VALUE STREAM MANAGEMENT

2. Helen Beal Helen Beal is a DevOps and Ways of

   Working coach, chief ambassador at DevOps Institute, and ambassador for the Continuous Delivery Foundation. She is the chair of the Value Stream Management Consortium and co-chair of the OASIS Value Stream Management Interoperability Technical Committee. She also provides strategic advisory services to DevOps industry leaders. Helen hosts the Day-to-Day DevOps webinar series for BrightTalk, speaks regularly on DevOps and value stream-related topics, is a DevOps editor for InfoQ, and also writes for a number of other online platforms. She is a co-author of the book about DevOps and governance, Investments Unlimited, published by IT Revolution. Herder of Humans @helenhappybee PURPOSE: Bringing Joy to Work

3. OUR FLOW TODAY (Talk Map) 3 The Three Ways Flow,

   lead and cycle time Global optimization Organizational Performance Customer Experience “It’s taken me 10-plus years to come up with my own one-line definition of DevOps: “DevOps is whatever you do to bridge friction created by silos, and all the rest is engineering.” And so, if you’re doing technology just for the technology and you’re not trying to overcome some friction of the human kind of siloing or group siloing or information siloing or whatever, then you’re just doing the engineering part and you’re not, in my opinion, doing the DevOps part.” Patrick Debois, the progenitor of DevOps, quoted in Puppet’s State of DevOps Report 2021

4. 1 Flow Emphasizes the performance of the entire system, as

   opposed to the performance of a specific silo of work or department — this can be as large a division or as small as an individual contributor. 2 Feedback Creates the right to left feedback loops. The goal of almost any process improvement initiative is to shorten and amplify feedback loops so necessary corrections can be continually made. 3 Continuous experimentation and learning Creates a culture that fosters two things: continual experimentation, taking risks and learning from failure; and understanding that repetition and practice is the prerequisite to mastery. 4 THE THREE WAYS OF DEVOPS

5. MEASURING FLOW: METRICS DEFINITION 5 Lead time: time from code

   commit to in production. Cycle time: idea registered to change is used by customer.

6. 6

7. 7 Selecting Which Value Stream to Start With Understanding the

   Work in Our Value Stream, Making it Visible, and Expanding it Across the Organization 5 6 “Once we have identified a value stream to which we want to apply DevOps principles and patterns, our next step is to gain a sufficient understanding of how value is delivered to the customer: what work is performed and by whom, and what steps can we take to improve flow.”

8. THE DEVOPS PLATEAU 8

9. 9 “To accelerate development and enable continuous delivery of customer

   value, organizations need to reach the next level in their agile and DevOps practices. I&O leaders and application leaders must focus on value stream management to maximize flow, improve delivery efficiency and drive innovation.” ‘Predicts 2021: Value Streams Will Define the Future of DevOps’ by Daniel Betts, Chris Saunderson, Ron Blair, Manjunath Bhat, Jim Scheibmeir, Hassan Ennaciri. Published 5 October 2020

10. VSM: NEXT GENERATION DEVOPS 10 Project Orientation Flow Orientation XP

    Scrum agile SAFe LeSS DA Lean & kanban Value stream management ALM DevOps Value stream management Again! Waterfall Motion study

11. 11 A value stream is an end-to-end set of activities

    which collectively creates value for a customer. James Martin, “The Great Transition’ Value The value-stream designers search for ways of achieving “outrageous” improvements in critical measures such as speed, cost, quality, and service. End-to-end The value stream team is concerned with all the activities, from start to delivery of results, and confirmation of satisfaction. Customer The value stream team is intensely focused on the customer (an external customer or an internal user) and is concerned with how to delight the customer.

12. THE TRANSITION People/Process Systems and Applications Data and Insights Traditional

    People are arranged in silos and their processes define work that is handed off between silos before it reaches the customer. Teams are dependent on each other to get work done. Systems are tightly coupled and monolithic. It’s hard to make changes and test and deploy to small parts of the system; a change requires the whole system to be tested and deployed. Data is difficult to get to and manually extracted by people who spend large amounts of time building and sharing reports which are mostly not read and are out of date quickly. Most conversations are opinion-driven. Value Stream Management Small, multifunctional, autonomous teams are dedicated to long-lived products and manage the end-to-end value stream and peer-review decisions so there are no dependencies outside of the team. Systems are loosely coupled and composed of small, autonomous services (microservices connected by APIs) that make it possible to make a change in a single service without impacting other services. API and integration tests exist in the CICD pipeline. Moves beyond data-driven business to insight-driven business. Large amounts of data are available real-time, in a data democracy where all can access the insights relevant to them instrumented into the tools that they use to do their daily work. 12

13. THE VSM IMPLEMENTATION ROADMAP 13

14. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code

    is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. VALUE STREAM MANAGEMENT PROCESSES 14 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. The Value Cycle

15. PORTFOLIO MANAGEMENT 15 PORTFOLIO AND BACKLOG Vision and goals are

    set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

16. PRODUCT BACKLOG 16 PORTFOLIO AND BACKLOG Vision and goals are

    set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

17. COLLABORATIVE WIKI 17 PORTFOLIO AND BACKLOG Vision and goals are

    set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. The DevSecOps Toolchain

18. ARTIFACT REPOSITORY 18 PORTFOLIO AND BACKLOG Vision and goals are

    set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

19. SOURCE/VERSION CONTROL 19 PORTFOLIO AND BACKLOG Vision and goals are

    set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

20. CI SERVER 20 PORTFOLIO AND BACKLOG Vision and goals are

    set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

21. UNIT TESTING 21 PORTFOLIO AND BACKLOG Vision and goals are

    set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

22. INTEGRATION TESTING 22 PORTFOLIO AND BACKLOG Vision and goals are

    set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

23. USER ACCEPTANCE TESTING 23 PORTFOLIO AND BACKLOG Vision and goals

    are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

24. NON-FUNCTION TESTING (E.G. SECURITY) 24 PORTFOLIO AND BACKLOG Vision and

    goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

25. ENVIRONMENT/RELEASE AUTOMATION 25 PORTFOLIO AND BACKLOG Vision and goals are

    set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

26. SERVICE DESK 26 PORTFOLIO AND BACKLOG Vision and goals are

    set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

27. LOGGING AND MONITORING 27 PORTFOLIO AND BACKLOG Vision and goals

    are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

28. OBSERVABILITY AND AIOPS 28 PORTFOLIO AND BACKLOG Vision and goals

    are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

29. ANALYTICS AND DASHBOARDS 29 PORTFOLIO AND BACKLOG Vision and goals

    are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

30. VSMPs: GLOBAL OPTIMIZATION 30 Value Stream Management Connect planning to

    delivery Visibility into cross value stream changes Trace user stories as they travel Continuous compliance Manage dependencies while you break them Gain insights into waste; optimize flow Inspect real-time data and adapt

31. 31 Your Organization

32. 32 Your Organization

33. 33 Your Organization

34. 34 Your Organization

35. DEPENDENCY MAPPING 35

36. All User Stories are Accepted in VersionOne and all open

    defects deferred or closed. PCI: Logon for Life Scan for PCI compliance User Story Accepted by Infosec Step 1 Step 7 PCI: Payments Processing Veracode Scan User Story Accepted by Infosec Manage dependencies between teams Step 11 Release is Scope Locked in ServiceNow Step 40 Step 43 Check that all teams have access to necessary accounts Deployment Issues or Unplanned Activities are logged in VSMP Salesforce: Send email to EDS Project Manager confirming that SF deployment has completed and Business validations can start Step 21 Step 6 Step 10 36 RELEASE PROCESS #1: STANDARD (53 STEPS)

37. Release is Scope Locked in ServiceNow Step 1 Step 11

    All changes Start/End dates align with Release window Step 14 Link to VSMP deployment plans are in ServiceNow for each PRD task Step 23 Step 18- 21 Deployment Issues or Unplanned Activities are logged in VSMP Release retrospective meeting End-to-End Testing performed with internal and vendor systems Step 7 Change Request should be in Approval state with all required artifacts Step 13 Comms in MS Teams Step 33 37 RELEASE PROCESS #2: CICD (32 STEPS)

38. THE TWO DIMENSIONS OF VSM 38 VALUE FLOW REALIZATION EFFICIENCY

    EFFECTIVENESS Outputs (value stream health) Outcomes (customer experience) Flow is the journey of work from idea to realization. Its travel should be friction-free. It’s a continuous steady stream of value for customers. Realization is the fulfillment of desired outcomes. It’s when a customer experiences the value intended. • Speed of flow • Frequency of delivery • Waste in the value stream • The work types underway • Customers actively using capability • Rate at which new customers arrive • Customers’ description of experience • Value stream finance health

39. CUSTOMER EXPERIENCE 39

40. ADAPTING VALUE STREAMS 40

41. VSM CAPABILITY MATRIX Dimension Emerging Learning Practicing Evolving Insights-Driven Data

    manually extracted Data is aggregated Tools have been integrated A single tool connects all parts and automates insights Dependencies Aware of dependencies Managing dependencies Breaking dependencies Loosely coupled/ autonomous teams and systems DevOps Toolchain Building continuous integration Using continuous delivery Architected from idea to value realization Work is traceable around entire cycle - automated value stream map Metrics Incident rate, change fail rate Deployment frequency, MTTR Lead time, cycle time Flow velocity, efficiency, value realized Organizational Starting to use value stream mapping Naming value streams, some roles Teams directed around value streams and customer journeys All teams organized around value streams, dedicated roles 41

42. TAKEAWAYS 42 KEEP DEVSECOPSING Persistence is not futile—it’s essential to

    your organization’s future. BUT VSM may unlock where DevSecOps is stuck. VSM + DevSecOps = higher organization performance. FLOW The movement of work from idea to customer is an inherent characteristic of a value stream. But feedback is also essential—what is your customer experiencing? GLOBALLY OPTIMIZE Efficiency and governance are both essential. Make sure local discoveries can become global optimizations and use VSM to manage the natural heterogeneity of autonomy. Icons made by Freepik and Eucalyp from www.flaticon.com

43. THANK YOU 43