2019 Executive Insights on DevOps

This post originally appeared on DZone.com

To understand the current and future state of DevOps, we spoke to 40 IT executives from 37 organizations. Here’s who we spoke to:

Key Findings

1. The most important elements of a successful DevOps implementation are a culture of collaboration and real-time feedback on mutually agreed upon metrics for automated processes.

It’s a philosophy or movement rather than a methodology. Culture is the cornerstone of success, and drives collaboration and sustainable practices. Start with culture and envision how the team will interact to achieve well-defined and articulated goals. Leadership needs to adopt and embrace DevOps. Create a culture of discovery and fail fast. Focus on learning, experiments, and continuous improvement. You cannot just do DevOps in a silo without product, marketing, engineering, finance, sales, and executive management being affected by it. 

Automate everything — builds, deployments, testing, reporting, whatever you can. Institute repeatable processes, track metrics, measure, and ensure you are meeting and exceeding KPIs. Every test needs to be repeatable and scalable. Continuous improvement needs to be measured and valued. Align incentives between the operations, development, and security teams.

2. Automated DevSecOps is the way most respondents are integrating security into their DevOps pipeline in addition to static code analysis and dynamic application security testing.

It’s more critical than ever that DevOps embraces security from the outset and that DevSecOps is baked in from thebeginning. Security is a first-class citizen given the number of breaches that are taking place. Without security, an organization cannot survive. By integrating security into DevOps, developers can easily and routinely product software that is free of flaws and vulnerabilities.

There are multiple technologies to consider: 1) SAST (static analysis security testing), analyzing application code like a compiler and building logic trees and the data flow of an application; 2) DAST (dynamic application security testing), an automated hacker that you can use to analyze responses to determine if it was able to break into or trick the application; 3) SCA (software composition analysis) to analyze application code, detect open-source code, and determine if it’s secure/ legal, and how far it is behind the most recent release. Ensure that engineers understand secure coding and employ peer reviews. We have a segregation of duties in place, and we track how everything is produced in the pipeline.

3. The biggest changes to DevOps have been the level of acceptance, the predominance of the public cloud and the tools offered, and containers and Kubernetes (K8s).

DevOps used to be only for Silicon Valley companies. Now it’s on everyone’s mind. There is greater acceptance as people are aware of the benefits and the availability of tooling and knowledge. Culture adoption was the first wave and is now a constant. Now we’re rolling into more tools with software and virtual hardware with infrastructure as code automation.

The emergence of cloud-native is another major change. Everything is done in the cloud, and there has been an explosion of tools and infrastructure options. Tools are becoming more sophisticated with the cloud environment.

There is also a change in attitude with the rise of K8s in the public cloud. When the cloud begins to run K8s for you, that’s a game changer. It’s much easier to virtualize code and automate everything. Containers make it easier for developers to do work in an environment that looks like production.

4. Speed to market is the overarching value provided by DevOps with several aspects of speed mentioned. The tenets of DevOps are the same: moving faster, empowering developers, achieving better code quality, having a more resilient infrastructure, and improving the security posture.

Minimize the time it takes to deliver value to customers. The cycle time from developer completion of a story/defect/ task to production is dramatically reduced via DevOps and continuous delivery, allowing for value to be realized as quickly as possible. Deployment and development to production cycles can go from months to hours, without additional headcount and decreasing risk through automation.

Another benefit is the ability to decrease time to market, increase customer satisfaction, and gain a sustainable competitive advantage. Reducing cycle times can also speed innovation since new ideas can be brought to market more quickly. Problems are able to be resolved more quickly with shorter feedback loops.

5. While use cases were provided in 14 different industries, financial services and insurance examples were provided far more than any other.

The financial market is very dynamic with constant changes being driven by different perspectives around the world, such as new financial regulations and reporting requirements. A large bank created several dozen new APIs and digital services in less than five months. Previously, it would have taken them at least 18 months. Key Bank has gone from a three-month deployment interval to a one-week deployment interval. A major global insurer reduced annual costs from $3 million to $120,000 per test environment while reducing the environment provisioning time from six weeks to two hours.

6. The most common reason for DevOps failures are unwillingness to adopt a “fail fast and iterate approach;” executive level support for the initiative; and alignment between all of the people responsible for implementing DevOps.

If a customer starts with “fail fast and iterate,” it’s pretty easy. You have an honest and healthy retrospective in contrast to coming from a blame model. You need a blame-free environment to successfully implement DevOps. Learn from your mistakes. If it hurts, do it more often in smaller batches to learn and remove the pain. Find people with the courage to tell you what didn’t work and why. Embrace failure to learn.

Get executive management on board early. Only the management team can align resources within the organization to drive the level of transformation required. Management also has an end-to-end view of the value chain and is best positioned to bring all of the resources to bear on a common path. It’s critical that an organization’s leaders shield new teams from traditional organizational pressures to deliver. There needs to be organizational support for long-term adoption.

Processes must be aligned across all of the teams. Every representative of the SDLC needs to be at the table. If you leave someone out, they’ll be offended and serve as an impediment to your DevOps roadmap. If responsibilities are not well-defined, culture change doesn’t take affect and people don’t take ownership.

7. The future of DevOps is more focused on security and the adoption of DevSecOps, improving processes by utilizing AI/ML, and more automation.

More emphasis is needed on security and integrating security into DevOps upfront for DevSecOps.

AI and ML will enable organizations to make better decisions faster by providing unique analysis and correlating code, test results, user behavior, and production quality and performance. AI/ML data-driven understanding of patterns, finding the patterns, providing remediation, resulting in self-driving and self-healing applications. Automation provides the opportunity to integrate changes in process with changes in culture to maximize flow, feedback, and continuous improvement.

8. Three things developers need to keep in mind with regard to DevOps/CI/CD are automation, alignment, and security.

Automate from your first deployment; never deploy manually. Think about automating everything you do. Shorten delivery cycles by embracing automation across software development, integration, and delivery pipelines. Have an agile mindset.

CI/CD is entirely dependent on automated tests. Without an extensive test suite for all the different parts of the code, developers will not have the confidence to have their applications continuously deployed to production, thus introducing friction into the development process.

It’s all about alignment. Everyone needs to be on the same page with the same process. We fail when we have divisions. Be a developer but understand security, operations, and deployment challenges. Be able to empathize with security and operations to deliver applications in a more efficient way to reduce organizational friction. Knowledge is power.