Approaching its 10-year anniversary, the movement is undergoing a renovation as some communities work to infuse security, making way for DevSecOps.
When John Stuart arrived at Jobvite more than three years ago, he encountered a rift between operations and engineering.
The recruiting software company wanted engineers and architects collaborating. It wanted production to become faster, more efficient.
As vice president of DevOps, security and IT, Jobvite tasked Stuart with reshaping process, partnership and collaboration, creating a DevOps-centric culture along the way.
Process implementation began with operational engineers explaining the value of “everything is code” and building the mindset across the business, Stuart told CIO Dive.
An early example of DevOps working was Jobvite’s ability to reduce deployment time from weeks to hours. One example inspires another until entire teams are onboard with DevOps.
Building in a DevOps process is growing in prominence as companies work to drive efficiency. It makes way for continuous technology iterations and deployments and offers solutions for businesses trying to compete in increasingly tech-savvy sectors.
More than one-quarter of developers “feel good” about their DevOps maturity, according to GitLab’s 2019 survey of more than 4,000 respondents. And elite performers are 1.53 times more likely to “meet or exceed” organizational goals, according to DevOps Research and Assessment 2018 State of DevOps report.
There’s no right way to change development at a company. It’s work requiring energy and patience, pushing companies to break the development status quo.
Approaching its 10-year anniversary, DevOps has a long way to go with enterprise adoption. The movement is undergoing a renovation as some communities work to add security, making way for DevSecOps.
What’s emerging is what does — and doesn’t work quite as well — in the DevOps world: the good, the bad and the ugly.
Early successes in DevOps are easy to carve out.
Jobvite has the internal tooling, automation and DevOps culture required so employees can work, test and validate quickly.
“It’s allowed team members to grow and take on new responsibilities because I’m not being dependent on another group or I am not being gated or blocked by another group to get something done,” said Stuart.
DevOps is allowing for better visibility, according to GitLab’s survey. When a DevOps model is in place long term, 89% of respondents are more likely to have “good insight” on what projects colleagues are working on. This includes colleagues in development, operations or security roles.
There’s a collective body of knowledge around DevOps, without prescriptive guidance, said Jayne Groll, CEO of the DevOps Institute, in an interview with CIO Dive. “DevOps is part of new IT.”
Companies are feeling pressure to move quickly with implementation, opening a dialogue across businesses and sectors. Without rigid implementation, DevOps is emerging as a development culture individuals working in technology understand.
With DevOps, “we’re moving away from ‘what is it,'” Groll said. “We spend so much time trying to figure out ‘what is it’ that companies are now migrating to ‘how do we do it.'”
DevOps success can have a negative flipside: Rapid deployments set a standard.
“There is the expectation of the business that we can do everything super fast and get that done, which is a challenge,” Stuart said.
And deployment is easier for some groups than others. DevOps in certain teams looks a lot different than DevOps at scale across an enterprise with an army of developers.
When companies work to introduce security, the “Sec” of DevSecOps, it adds another wrench in the process.
From a startup perspective, introducing security into the DevOps process is easy because the extra person is creating bandwidth for coding, DJ Schleen, a DevSecOps advocate, told CIO Dive.
But with larger organizations, distributed worldwide, different development teams do different versions of DevOps pipelines and practices, he said. Some adopt security and some don’t, which is challenging for the security teams managing the programs.
The DevOps/DevSecOps cultural movement starts requiring tools to manage the process, which many believe is supposed to remain more holistic. The inevitable vendor reliance is a perennial challenge of implementing DevOps.
“There still is the fallback position of IT that we will solve this problem with technology,” said Groll. “The vendors don’t even support that.”
The vendors want to sell products, but they’re also starting to interoperate and understand the path to transformation, she said.
There is a lack of consistency about what industry calls DevOps. Referring to it as DevSecOps is en vogue, but not standard. Some would introduce “Fin” to the title as well, to turn attention to the financial focus required to keep development budget’s in check.
Calling DevOps different things is not harmful to the movement, per se. It simply highlights a growing pain.
DevOps by any other name is simply “development,” Schleen said. “I hate the word ‘DevSecOps’ because it says: ‘oh, here’s another silo.'”
“I would love to call it rainbow monkey unicorn pony,” he said.
Adding in security is a conscious decision for companies to break down development walls and communicated its importance without lecturing people. Security, then, becomes a mindset.
In the same way, too many companies are using the term DevOps, but using it incorrectly, according to Groll. Vendors are saying they’re DevOps and people are saying they’re DevOps engineers.
“It’s easy to be deceived in the market right now,” Groll said. “It’s easy to be lured into spending money or hiring talent that’s not going to deliver the value and everyone wants to jump into the DevOps pool because it’s the new, hot shiny thing and it’s the way for us to make money.”
As DevOps approaches its second decade, many industry disagreements will be ironed out. It simply requires time and maturity.
Jobvite is “going to continue to call it a ‘DevOps culture’ because that’s what’s most resonant out in the world, in the industry, especially as we’re hiring,” Stuart said. “As part of our tool chain, we always talk about the security side and the steps that are in there.”