THE POWER OF COMBINING DEVSECOPS WITH VALUE STREAM MANAGEMENT

Helen Beal Helen Beal is a DevOps and Ways of Working coach, chief ambassador at DevOps Institute, and ambassador for the Continuous Delivery Foundation. She is the chair of the Value Stream Management Consortium and co-chair of the OASIS Value Stream Management Interoperability Technical Committee. She also provides strategic advisory services to DevOps industry leaders. Helen hosts the Day-to-Day DevOps webinar series for BrightTalk, speaks regularly on DevOps and value stream-related topics, is a DevOps editor for InfoQ, and also writes for a number of other online platforms. She is a co-author of the book about DevOps and governance, Investments Unlimited, published by IT Revolution. Herder of Humans @helenhappybee PURPOSE: Bringing Joy to Work

OUR FLOW TODAY (Talk Map) 3 The Three Ways Flow, lead and cycle time Global optimization Organizational Performance Customer Experience “It’s taken me 10-plus years to come up with my own one-line definition of DevOps: “DevOps is whatever you do to bridge friction created by silos, and all the rest is engineering.” And so, if you’re doing technology just for the technology and you’re not trying to overcome some friction of the human kind of siloing or group siloing or information siloing or whatever, then you’re just doing the engineering part and you’re not, in my opinion, doing the DevOps part.” Patrick Debois, the progenitor of DevOps, quoted in Puppet’s State of DevOps Report 2021

1 Flow Emphasizes the performance of the entire system, as opposed to the performance of a specific silo of work or department — this can be as large a division or as small as an individual contributor. 2 Feedback Creates the right to left feedback loops. The goal of almost any process improvement initiative is to shorten and amplify feedback loops so necessary corrections can be continually made. 3 Continuous experimentation and learning Creates a culture that fosters two things: continual experimentation, taking risks and learning from failure; and understanding that repetition and practice is the prerequisite to mastery. 4 THE THREE WAYS OF DEVOPS

MEASURING FLOW: METRICS DEFINITION 5 Lead time: time from code commit to in production. Cycle time: idea registered to change is used by customer.

6

7 Selecting Which Value Stream to Start With Understanding the Work in Our Value Stream, Making it Visible, and Expanding it Across the Organization 5 6 “Once we have identified a value stream to which we want to apply DevOps principles and patterns, our next step is to gain a sufficient understanding of how value is delivered to the customer: what work is performed and by whom, and what steps can we take to improve flow.”

THE DEVOPS PLATEAU 8

9 “To accelerate development and enable continuous delivery of customer value, organizations need to reach the next level in their agile and DevOps practices. I&O leaders and application leaders must focus on value stream management to maximize flow, improve delivery efficiency and drive innovation.” ‘Predicts 2021: Value Streams Will Define the Future of DevOps’ by Daniel Betts, Chris Saunderson, Ron Blair, Manjunath Bhat, Jim Scheibmeir, Hassan Ennaciri. Published 5 October 2020

VSM: NEXT GENERATION DEVOPS 10 Project Orientation Flow Orientation XP Scrum agile SAFe LeSS DA Lean & kanban Value stream management ALM DevOps Value stream management Again! Waterfall Motion study

11 A value stream is an end-to-end set of activities which collectively creates value for a customer. James Martin, “The Great Transition’ Value The value-stream designers search for ways of achieving “outrageous” improvements in critical measures such as speed, cost, quality, and service. End-to-end The value stream team is concerned with all the activities, from start to delivery of results, and confirmation of satisfaction. Customer The value stream team is intensely focused on the customer (an external customer or an internal user) and is concerned with how to delight the customer.

THE TRANSITION People/Process Systems and Applications Data and Insights Traditional People are arranged in silos and their processes define work that is handed off between silos before it reaches the customer. Teams are dependent on each other to get work done. Systems are tightly coupled and monolithic. It’s hard to make changes and test and deploy to small parts of the system; a change requires the whole system to be tested and deployed. Data is difficult to get to and manually extracted by people who spend large amounts of time building and sharing reports which are mostly not read and are out of date quickly. Most conversations are opinion-driven. Value Stream Management Small, multifunctional, autonomous teams are dedicated to long-lived products and manage the end-to-end value stream and peer-review decisions so there are no dependencies outside of the team. Systems are loosely coupled and composed of small, autonomous services (microservices connected by APIs) that make it possible to make a change in a single service without impacting other services. API and integration tests exist in the CICD pipeline. Moves beyond data-driven business to insight-driven business. Large amounts of data are available real-time, in a data democracy where all can access the insights relevant to them instrumented into the tools that they use to do their daily work. 12

THE VSM IMPLEMENTATION ROADMAP 13

CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. VALUE STREAM MANAGEMENT PROCESSES 14 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. The Value Cycle

PORTFOLIO MANAGEMENT 15 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

PRODUCT BACKLOG 16 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

COLLABORATIVE WIKI 17 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. The DevSecOps Toolchain

ARTIFACT REPOSITORY 18 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

SOURCE/VERSION CONTROL 19 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

CI SERVER 20 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

UNIT TESTING 21 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

INTEGRATION TESTING 22 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

USER ACCEPTANCE TESTING 23 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

NON-FUNCTION TESTING (E.G. SECURITY) 24 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

ENVIRONMENT/RELEASE AUTOMATION 25 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

SERVICE DESK 26 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

LOGGING AND MONITORING 27 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

OBSERVABILITY AND AIOPS 28 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

ANALYTICS AND DASHBOARDS 29 PORTFOLIO AND BACKLOG Vision and goals are set and aligned to epics, features, PBIs and user stories. INSIGHTS AND ANALYSIS Monitoring and observability provide insights into customer reaction to changes and report on value realization. CONTINUOUS INTEGRATION Code is created, artifacts incorporated, versions controlled, code is built in a trunk based manner. CONTINUOUS DELIVERY The changes are approved, released and operated in the live environment. CONTINUOUS TESTING Functional and non-functional testing takes place at every commit at every step or gate through route to live. The DevSecOps Toolchain

VSMPs: GLOBAL OPTIMIZATION 30 Value Stream Management Connect planning to delivery Visibility into cross value stream changes Trace user stories as they travel Continuous compliance Manage dependencies while you break them Gain insights into waste; optimize flow Inspect real-time data and adapt

31 Your Organization

32 Your Organization

33 Your Organization

34 Your Organization

DEPENDENCY MAPPING 35

All User Stories are Accepted in VersionOne and all open defects deferred or closed. PCI: Logon for Life Scan for PCI compliance User Story Accepted by Infosec Step 1 Step 7 PCI: Payments Processing Veracode Scan User Story Accepted by Infosec Manage dependencies between teams Step 11 Release is Scope Locked in ServiceNow Step 40 Step 43 Check that all teams have access to necessary accounts Deployment Issues or Unplanned Activities are logged in VSMP Salesforce: Send email to EDS Project Manager confirming that SF deployment has completed and Business validations can start Step 21 Step 6 Step 10 36 RELEASE PROCESS #1: STANDARD (53 STEPS)

Release is Scope Locked in ServiceNow Step 1 Step 11 All changes Start/End dates align with Release window Step 14 Link to VSMP deployment plans are in ServiceNow for each PRD task Step 23 Step 18- 21 Deployment Issues or Unplanned Activities are logged in VSMP Release retrospective meeting End-to-End Testing performed with internal and vendor systems Step 7 Change Request should be in Approval state with all required artifacts Step 13 Comms in MS Teams Step 33 37 RELEASE PROCESS #2: CICD (32 STEPS)

THE TWO DIMENSIONS OF VSM 38 VALUE FLOW REALIZATION EFFICIENCY EFFECTIVENESS Outputs (value stream health) Outcomes (customer experience) Flow is the journey of work from idea to realization. Its travel should be friction-free. It’s a continuous steady stream of value for customers. Realization is the fulfillment of desired outcomes. It’s when a customer experiences the value intended. ● Speed of flow ● Frequency of delivery ● Waste in the value stream ● The work types underway ● Customers actively using capability ● Rate at which new customers arrive ● Customers’ description of experience ● Value stream finance health

CUSTOMER EXPERIENCE 39

ADAPTING VALUE STREAMS 40

VSM CAPABILITY MATRIX Dimension Emerging Learning Practicing Evolving Insights-Driven Data manually extracted Data is aggregated Tools have been integrated A single tool connects all parts and automates insights Dependencies Aware of dependencies Managing dependencies Breaking dependencies Loosely coupled/ autonomous teams and systems DevOps Toolchain Building continuous integration Using continuous delivery Architected from idea to value realization Work is traceable around entire cycle - automated value stream map Metrics Incident rate, change fail rate Deployment frequency, MTTR Lead time, cycle time Flow velocity, efficiency, value realized Organizational Starting to use value stream mapping Naming value streams, some roles Teams directed around value streams and customer journeys All teams organized around value streams, dedicated roles 41

TAKEAWAYS 42 KEEP DEVSECOPSING Persistence is not futile—it’s essential to your organization’s future. BUT VSM may unlock where DevSecOps is stuck. VSM + DevSecOps = higher organization performance. FLOW The movement of work from idea to customer is an inherent characteristic of a value stream. But feedback is also essential—what is your customer experiencing? GLOBALLY OPTIMIZE Efficiency and governance are both essential. Make sure local discoveries can become global optimizations and use VSM to manage the natural heterogeneity of autonomy. Icons made by Freepik and Eucalyp from www.flaticon.com

THANK YOU 43