A Novel about DevOps, Security, Audit Compliance, and Thriving in the Digital Age To all those change agents in every organization who dare to challenge the status quo, build bridges instead of walls, and propel us into the unlimited future.

CROWDSOURCED WRITING

Helen Beal Helen Beal is a DevOps and Ways of Working coach, chief ambassador at DevOps Institute, and ambassador for the Continuous Delivery Foundation. She is the chair of the Value Stream Management Consortium and co-chair of the OASIS Value Stream Management Interoperability Technical Committee. She also provides strategic advisory services to DevOps industry leaders. Helen hosts the Day-to-Day DevOps webinar series for BrightTalk, speaks regularly on DevOps and value stream-related topics, is a DevOps editor for InfoQ, and also writes for a number of other online platforms. She is a co-author of the book about DevOps and governance, Investments Unlimited, published by IT Revolution. Herder of Humans @helenhappybee PURPOSE: Bringing Joy to Work

Why another book?

GOVERNANCE

GOVERNANCE How does that word make you feel?

THE CHARACTERS BOARD Bernard Collins CEO Susan Jones SVP Digital Jason Colbert CRCO Jada King Andrea Regan AUDIT FIRM Laura Perez CISO Tim Jones CIO Jennifer Limus Security Barry David VP Product Bill Lucas Lucy VP Engineering Carol Smith Sr. Staff Engineer Michelle Dundin Engineer Omar SRE Dillon FRB Officer Greg Dorshaw

THE NARRATIVE ARC

THE INCITING INCIDENT To: Greg Dorson Subject: IUI Preliminary Examination Results Greg, looks like history is repeating itself. Seems like another fintech firm is going to require a formal action. The team is quite concerned… “How did you find out?” “I met with Bernard this evening at our regular two-finger Scotch session. He let me know that the MRIA will be issued to IUI. You know, it may feel like regulators are out to get us, but they’re really there to help us and protect our customers.” “You could have fooled me.” “It’s not uncommon for a MRIA to be informally notified through back channels. Bernard has a good relationship with the director of the regulatory agency…” 1

PIVOTAL MOMENT DevOps failed you. 27 “But it wasn’t DevOps’ fault.”

LEARNING “Take The DevOps Handbook. It points out three key aspects of DevOps: flow, feedback, and continuous learning.” “Yeah, the three ways.” “You betcha. Well, those same concepts can be applied to Security, Compliance, Risk and any other stakeholder along a value stream. These days, I’d argue that Development versus Operations is mostly solved. Now it’s all about systematically looking at all other parties that ensure the quality of software and including them in our shift-left mentality.” 30

LEARNING Dear Auditor, We realize that we have been changing our practices from Agile and DevOps to cloud and containers. Yes, we have been busy, and we are having great success delivering faster than ever with better quality, responding competitively to market pressure. However, this approach isn’t just icing on the cake. The only sustainable advantage in our industry is the ability to meet customer demands faster and more reliably than our competitors. But with all this growth, we made a tragic mistake: we forgot to bring you along for the ride. That is totally our fault and we want to make it right, We are going to make some new commitments. 33

LEARNING “Addressing the symptoms as they exposed themselves was the catalyst for an ever-slowing software delivery process. It was always in the name of security and risk. More and more processes were created, more complexity was added to the systems and more time-wasting meetings were required. It was like organizational scar tissue.” 49

No content

THE DEVOPS RISKS AND CONTROLS MATRIX (RCM) 1 Unauthorized changes to production PAM 2 Production breaks due to human error IaC 3 Material misstatement of financial data SoD 4 Intellectual property and licensing violation SBOM 5 Data breach from unauthorized access DAR 6 Unwanted customer impact Progressive delivery 7 Business continuity BCM/DR 8 Divergence of audit evidence from developer evidence 9 Data in appropriate jurisdiction GDPR or PII 10 Compromise unknown breach of infrastructure Red Team

CONTINUOUS EVIDENCE

Need Traditional Compliance Continuous Compliance Process conformance Checklists Risk controls as code Change management Change tickets Self documenting change Governance Audits Compliance monitoring AUTOMATED GOVERNANCE

LEARNING 70 “You know what we did today? We applied the same concepts of infrastructure as code to our governance. I’m going to go out on a limb with this one. Omar, what you showed with REGO, you showed policy as code. Our policies can be source controlled, just like our software and some of our infrastructure.” “Policy as code? Does this mean that Audit and Risk need to hire developers and learn to write code? Your demo seemed great, but if we have to write code, I’m not sure this will work.” “Um, I guess we didn’t think about that.” “No, I don’t think so, Andrea. This is where we can collaborate. Based on how things are being built, someone will need to understand how to write the policies into the REGO, but it doesn’t have to be Risk. we can have a policy team. Andrea, or Barry, when we need to implement a control with this approach, an engineer can be there to help.” TURBO EUREKA

“She was convinced that now, more than ever, every business was truly a technology business and every business leader was a technology leader.”

ANY QUESTIONS?