Slide 1

Slide 1 text

THE POWER OF COMBINING DEVSECOPS WITH VALUE STREAM MANAGEMENT

Slide 2

Slide 2 text

Helen Beal Helen Beal is a DevOps and Ways of Working coach, chief ambassador at DevOps Institute, and ambassador for the Continuous Delivery Foundation. She is the chair of the Value Stream Management Consortium and co-chair of the OASIS Value Stream Management Interoperability Technical Committee. She also provides strategic advisory services to DevOps industry leaders. Helen hosts the Day-to-Day DevOps webinar series for BrightTalk, speaks regularly on DevOps and value stream-related topics, is a DevOps editor for InfoQ, and also writes for a number of other online platforms. She is a co-author of the book about DevOps and governance, Investments Unlimited, published by IT Revolution. Herder of Humans @helenhappybee PURPOSE: Bringing Joy to Work

Slide 3

Slide 3 text

OUR FLOW TODAY (Talk Map) 3 The Three Ways Flow, lead and cycle time Global optimization Organizational Performance Customer Experience “It’s taken me 10-plus years to come up with my own one-line definition of DevOps: “DevOps is whatever you do to bridge friction created by silos, and all the rest is engineering.” And so, if you’re doing technology just for the technology and you’re not trying to overcome some friction of the human kind of siloing or group siloing or information siloing or whatever, then you’re just doing the engineering part and you’re not, in my opinion, doing the DevOps part.” Patrick Debois, the progenitor of DevOps, quoted in Puppet’s State of DevOps Report 2021

Slide 4

Slide 4 text

1 Flow Emphasizes the performance of the entire system, as opposed to the performance of a specific silo of work or department — this can be as large a division or as small as an individual contributor. 2 Feedback Creates the right to left feedback loops. The goal of almost any process improvement initiative is to shorten and amplify feedback loops so necessary corrections can be continually made. 3 Continuous experimentation and learning Creates a culture that fosters two things: continual experimentation, taking risks and learning from failure; and understanding that repetition and practice is the prerequisite to mastery. 4 THE THREE WAYS OF DEVOPS

Slide 5

Slide 5 text

MEASURING FLOW: METRICS DEFINITION 5 Lead time: time from code commit to in production. Cycle time: idea registered to change is used by customer.

Slide 6

Slide 6 text

6

Slide 7

Slide 7 text

7 Selecting Which Value Stream to Start With Understanding the Work in Our Value Stream, Making it Visible, and Expanding it Across the Organization 5 6 “Once we have identified a value stream to which we want to apply DevOps principles and patterns, our next step is to gain a sufficient understanding of how value is delivered to the customer: what work is performed and by whom, and what steps can we take to improve flow.”

Slide 8

Slide 8 text

THE DEVOPS PLATEAU 8

Slide 9

Slide 9 text

9 “To accelerate development and enable continuous delivery of customer value, organizations need to reach the next level in their agile and DevOps practices. I&O leaders and application leaders must focus on value stream management to maximize flow, improve delivery efficiency and drive innovation.” ‘Predicts 2021: Value Streams Will Define the Future of DevOps’ by Daniel Betts, Chris Saunderson, Ron Blair, Manjunath Bhat, Jim Scheibmeir, Hassan Ennaciri. Published 5 October 2020

Slide 10

Slide 10 text

VSM: NEXT GENERATION DEVOPS 10 Project Orientation Flow Orientation XP Scrum agile SAFe LeSS DA Lean & kanban Value stream management ALM DevOps Value stream management Again! Waterfall Motion study

Slide 11

Slide 11 text

11 A value stream is an end-to-end set of activities which collectively creates value for a customer. James Martin, “The Great Transition’ Value The value-stream designers search for ways of achieving “outrageous” improvements in critical measures such as speed, cost, quality, and service. End-to-end The value stream team is concerned with all the activities, from start to delivery of results, and confirmation of satisfaction. Customer The value stream team is intensely focused on the customer (an external customer or an internal user) and is concerned with how to delight the customer.

Slide 12

Slide 12 text

THE TRANSITION People/Process Systems and Applications Data and Insights Traditional People are arranged in silos and their processes define work that is handed off between silos before it reaches the customer. Teams are dependent on each other to get work done. Systems are tightly coupled and monolithic. It’s hard to make changes and test and deploy to small parts of the system; a change requires the whole system to be tested and deployed. Data is difficult to get to and manually extracted by people who spend large amounts of time building and sharing reports which are mostly not read and are out of date quickly. Most conversations are opinion-driven. Value Stream Management Small, multifunctional, autonomous teams are dedicated to long-lived products and manage the end-to-end value stream and peer-review decisions so there are no dependencies outside of the team. Systems are loosely coupled and composed of small, autonomous services (microservices connected by APIs) that make it possible to make a change in a single service without impacting other services. API and integration tests exist in the CICD pipeline. Moves beyond data-driven business to insight-driven business. Large amounts of data are available real-time, in a data democracy where all can access the insights relevant to them instrumented into the tools that they use to do their daily work. 12

Slide 13

Slide 13 text

THE VSM IMPLEMENTATION ROADMAP 13

Slide 14

Slide 14 text

CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. VALUE STREAM MANAGEMENT PROCESSES 14 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. The Value Cycle

Slide 15

Slide 15 text

PORTFOLIO MANAGEMENT 15 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

Slide 16

Slide 16 text

PRODUCT BACKLOG 16 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

Slide 17

Slide 17 text

COLLABORATIVE WIKI 17 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. The DevSecOps Toolchain

Slide 18

Slide 18 text

ARTIFACT REPOSITORY 18 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

Slide 19

Slide 19 text

SOURCE/VERSION CONTROL 19 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

Slide 20

Slide 20 text

CI SERVER 20 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

Slide 21

Slide 21 text

UNIT TESTING 21 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

Slide 22

Slide 22 text

INTEGRATION TESTING 22 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

Slide 23

Slide 23 text

USER ACCEPTANCE TESTING 23 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

Slide 24

Slide 24 text

NON-FUNCTION TESTING (E.G. SECURITY) 24 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

Slide 25

Slide 25 text

ENVIRONMENT/RELEASE AUTOMATION 25 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

Slide 26

Slide 26 text

SERVICE DESK 26 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

Slide 27

Slide 27 text

LOGGING AND MONITORING 27 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

Slide 28

Slide 28 text

OBSERVABILITY AND AIOPS 28 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

Slide 29

Slide 29 text

ANALYTICS AND DASHBOARDS 29 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

Slide 30

Slide 30 text

VSMPs: GLOBAL OPTIMIZATION 30 Value Stream Management Connect planning to delivery Visibility into cross value stream changes Trace user stories as they travel Continuous compliance Manage dependencies while you break them Gain insights into waste; optimize flow Inspect real-time data and adapt

Slide 31

Slide 31 text

31 Your Organization

Slide 32

Slide 32 text

32 Your Organization

Slide 33

Slide 33 text

33 Your Organization

Slide 34

Slide 34 text

34 Your Organization

Slide 35

Slide 35 text

DEPENDENCY MAPPING 35

Slide 36

Slide 36 text

All User Stories are Accepted in VersionOne and all open defects deferred or closed. PCI: Logon for Life Scan for PCI compliance User Story Accepted by Infosec Step 1 Step 7 PCI: Payments Processing Veracode Scan User Story Accepted by Infosec Manage dependencies between teams Step 11 Release is Scope Locked in ServiceNow Step 40 Step 43 Check that all teams have access to necessary accounts Deployment Issues or Unplanned Activities are logged in VSMP Salesforce: Send email to EDS Project Manager confirming that SF deployment has completed and Business validations can start Step 21 Step 6 Step 10 36 RELEASE PROCESS #1: STANDARD (53 STEPS)

Slide 37

Slide 37 text

Release is Scope Locked in ServiceNow Step 1 Step 11 All changes Start/End dates align with Release window Step 14 Link to VSMP deployment plans are in ServiceNow for each PRD task Step 23 Step 18- 21 Deployment Issues or Unplanned Activities are logged in VSMP Release retrospective meeting End-to-End Testing performed with internal and vendor systems Step 7 Change Request should be in Approval state with all required artifacts Step 13 Comms in MS Teams Step 33 37 RELEASE PROCESS #2: CICD (32 STEPS)

Slide 38

Slide 38 text

THE TWO DIMENSIONS OF VSM 38 VALUE FLOW REALIZATION EFFICIENCY EFFECTIVENESS Outputs (value stream health) Outcomes (customer experience) Flow is the journey of work from idea to realization. Its travel should be friction-free. It’s a continuous steady stream of value for customers. Realization is the fulfillment of desired outcomes. It’s when a customer experiences the value intended. ● Speed of flow ● Frequency of delivery ● Waste in the value stream ● The work types underway ● Customers actively using capability ● Rate at which new customers arrive ● Customers’ description of experience ● Value stream finance health

Slide 39

Slide 39 text

CUSTOMER EXPERIENCE 39

Slide 40

Slide 40 text

ADAPTING VALUE STREAMS 40

Slide 41

Slide 41 text

VSM CAPABILITY MATRIX Dimension Emerging Learning Practicing Evolving Insights-Driven Data manually extracted Data is aggregated Tools have been integrated A single tool connects all parts and automates insights Dependencies Aware of dependencies Managing dependencies Breaking dependencies Loosely coupled/ autonomous teams and systems DevOps Toolchain Building continuous integration Using continuous delivery Architected from idea to value realization Work is traceable around entire cycle - automated value stream map Metrics Incident rate, change fail rate Deployment frequency, MTTR Lead time, cycle time Flow velocity, efficiency, value realized Organizational Starting to use value stream mapping Naming value streams, some roles Teams directed around value streams and customer journeys All teams organized around value streams, dedicated roles 41

Slide 42

Slide 42 text

TAKEAWAYS 42 KEEP DEVSECOPSING Persistence is not futile—it’s essential to your organization’s future. BUT VSM may unlock where DevSecOps is stuck. VSM + DevSecOps = higher organization performance. FLOW The movement of work from idea to customer is an inherent characteristic of a value stream. But feedback is also essential—what is your customer experiencing? GLOBALLY OPTIMIZE Efficiency and governance are both essential. Make sure local discoveries can become global optimizations and use VSM to manage the natural heterogeneity of autonomy. Icons made by Freepik and Eucalyp from www.flaticon.com

Slide 43

Slide 43 text

THANK YOU 43