Accelerate

Building and Scaling High Technology Organizations

A few months during our internal review in Stockholm, two of my teammates almost came to blows with each other. To the relief of my boss, they were not fighting for an increase in salary or more bonus or deal credit. They were passionately arguing the relevance of DevSecOps within an enterprise and emotions ran high.

During my interactions with customers, I see a similar debate around DevSecOps, though emotions are fairly tempered, unlike my team. One set of customers downright reject the relevance of DevSecOps by conveying that their organization culture is yet not ready for DevSecOps. Another set believes that DevSecOps works only in pockets and is not needed across the enterprise level. A third set believes that DevSecOps = Application Operations + Application Development.

Nothing could be farther from the truth and with multiple stakeholders having varying opinions, it is difficult to separate the grain from the chaff.

The first and most important thing to understand about DevSecOps is that no magic bullet will get you to an ideal state overnight. DevSecOps is a mindset shift that emphasizes collaboration, automation, and continuous improvement. It brings together development, operations, and security teams to work in harmony, with a shared responsibility for the security of software applications.

Key Principles of DevSecOps:

1. Shifting Left: One of the fundamental principles of DevSecOps is shifting security practices to the left. This means integrating security measures early in the software development process. Developers work closely with operations and security teams to identify and address security vulnerabilities at the earliest stages, reducing the risk of security breaches later on.

2. Automation: DevSecOps leverages automation to streamline security processes and reduce human error. By automating security testing, vulnerability scans, and code analysis, organizations can identify and remediate security issues more efficiently. Automation also enables continuous monitoring and ensures that security measures are consistently applied throughout the software development lifecycle.

3. Collaboration: Collaboration is at the heart of DevSecOps. It brings together development, operations, and security teams to foster open communication and shared responsibility. By breaking down silos and encouraging cross-functional collaboration, organizations can address security concerns proactively and build a culture of security awareness.

However, some customers are still not convinced that DevSecOps is needed for their organizations. They believe that if there is no change velocity, then DevSecOps is optional. However, change velocity is not the only criterion for deciding the path of an application to DevSecOps.

One of the customers, whom I immensely respect for his unbiased rationale, has always advised me to seek refuge in data when faced with a subjective onslaught.

So that took me to the book – Accelerate The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations, written by Nicole Forsgren Jez Humble and Gene Kim, who did a study on what separated strong performing organizations from their less effective counterparts after sampling 23,000 datasets from various organizations across the world.

Instead of the excuse that the organization culture is not ready for DevSecOps, the study revealed that adoption of DevSecOps can change the organizational culture.

The secret lies in the 4 metrics, which measure the software delivery performance and distinguish elite performers in the tech space.

1. Deployment Frequency: The frequency with which an organization releases new code to production reflects its ability to rapidly deliver features, fixes, and updates to customers.

2. Lead Time for Changes: The time it takes for a code commit to be deployed into production measures an organization’s efficiency in progressing from idea to usable product.

3. Mean Time to Restore (MTTR): This metric assesses an organization’s capability to recover from failures, a crucial aspect of maintaining reliability and trustworthiness.

4. Change Fail Rate: The percentage of changes that result in degraded service gauges an organization's ability to implement changes without disrupting the user experience. (e.g., a hotfix, rollback, fix forward, etc.)

These metrics encapsulate the essence of DevOps practices: rapid deployment, short lead times, swift recovery from incidents, and low change failure rates. They are measurable, objective, and universally applicable across industries.

"Accelerate" doesn't just highlight these metrics; it provides a statistical backbone that correlates them with IT and organizational performance.

By focusing on these metrics, Accelerate not only articulates what to measure but also ties these measurements to broader business outcomes, such as customer satisfaction, operational performance, and financial results.

Improvement in the above metrics has a direct correlation with the enterprise cycle time, which translates into the time taken for an idea to get executed in the real business world. Higher performers are 2x more likely to meet their commercial goals (productivity, profitability, market share, number of customers) and non-commercial goals (quantity of products or services, operating efficiency, customer satisfaction, quality of products or services, and achieving organizational or mission goals).

Organizations that do well under these 4 DevOps metrics have a 50% higher market cap growth over 3 years.

The striking aspect of the book, “Accelerate” is the emphasis on Continuous Delivery (CD) as a foundational element for high performance, which I believe is important, when I talk to my customers. CD is the practice of keeping my codebase deployable at any moment, and how CD enables both the acceleration of delivery and the improvement in product quality. By automating the build, test, and deployment processes, organizations can reduce human error, increase confidence in the deployment process, and provide value to customers faster. This is the key advantage of incorporating the culture of DevSecOps in organizations.

Every flap of a butterfly has an impact. Similarly, the practice of DevSecOps goes beyond the technical environment and metrics. DevSecOps forces a shift in culture mindset within the organization. Practices like blameless postmortems, fostering collaboration across departments, and encouraging continual learning are fundamental to creating a high-trust culture that promotes risk-taking and innovation. Leadership plays a pivotal role in shaping this culture. DevSecOps becomes a catalyst for a learning organization - those that are skilled at creating, acquiring, and transferring knowledge, and at modifying their behavior to reflect new knowledge and insights.

Overall what sets Accelerate apart from similar works is its reliance on data drawn from four years of surveys conducted by the authors. The findings presented are not based on anecdotal evidence but on analysis of responses from thousands of technology professionals. This evidence-based approach gives credence to the authors' claims and provides a roadmap for others seeking to replicate this success. The greatest takeaway for me is that DevSecOps transcends the technical advantages of the software development cycle. It has a catalyst impact on changing the organizational culture and catapulting it to an elite performer.