DevOpsDays Baltimore 2017. In my experience, I have found that the DevOps generalist that wears multiple hats is not as efficient as the DevOps practitioner that also understands Security and Business drivers but is able to focus on a primary area of expertise that is informed by the other domains. I propose, instead of limiting 'DevOps' to Development and Operations, to also include the dimensions of Security and Business. This talk will discuss practical means to help ensure security minded development, operations and prioritization and enabling innovation that delivers true business value. Practical means is more than just including a test tool; among other possible means, it includes commitment to cross-training, cultural norms such as trusting each team member, and incorporating business value validations in definition of done.

1. Adding the Business Dimension to DevOps
DevSecOpsNess

2. 1
DevSecOps… a relatively good state
Dev Ops
Sec

3. 2
If you’re doing DevSecOps well, you’re:
✓ Collaborating
✓ Integrating security early and often
✓ Expediting releases
✓ Embracing automation
✓ Improving quality

4. 3
Your product owner may be content.

5. 4
But…what about the business?

6. 5
DevSecOps still doesn’t ensure that you’re adding any value
to the business.
Sure, you’re delivering faster. Maybe even cheaper. Maybe
even ‘failing fast’. But are you really and truly delivering
what your business needs?

7. 6
Does your Code/Automation/Security Control incorporate
business understanding and provide any business value?

8. 7
What provides business value anyway?

9. 8
Add the Business Dimension

10. 9
Development: Challenge the Requirement
• What benefit is this providing?
• Would the end user really want it this way?
• Does this fit with the business’ strategy?
• Functionality
• Bug fix
• Chore

11. 10
Operations: Challenge the Process
• What benefit is this providing?
• Is the expectation accurate?
• Is this being done efficiently?
• Continuous Deployment
• Continuous Delivery
• Continuous Monitoring
• Incident Response

12. 11
Security: Challenge the Risk
• What benefit is this providing?
• Does the solution address the real problem?
• Is the solution based on quantitative analysis?
• Regulation
• Controls
• Assessments
• Monitoring

13. 12
Ensure every person understands business impacts

14. 13
• What is the purpose of the application or system?
Mission critical or not…

15. 14
• How does the requirement/process/control fit into the business’ mission or
strategy?
Alignment, alignment, alignment!

16. 15
• What is the cost of the proposed alternatives and how does that factor into
trade-off analysis?
$$$

17. 16
• What are the business constraints? Are they real or perceived?
Pragmatic DevOps…

18. 17
Innovative DevOps…
• Where is the market going for this?

19. 18
And, for the Business…
…add Business Agility!

20. 19
DevSecOpsNess: Thank You!