Clarifying DevOps MaturityThe term “DevOps maturity” refers to how much organizations have completed and how much they still have yet to accomplish in their DevOps journey. According to CA Technologies, organizations can use four areas to gauge their level of DevOps maturity. These are as follows:
- Culture and Strategy: DevOps is a cultural shift in that it removes boundaries and brings development and operations teams together. Such a transition requires careful planning if it is to be successful in the long term.
- Automation: Automation unifies tools in such a way that teams can share them. In DevOps, for instance, automation facilitates continuous delivery and continuous deployment. It also enables teams to be creative and not waste their time working through various repeatable tasks.
- Structure and Processes: The modern business has processes for everything from incident response systems to communication tools. It’s therefore no wonder that processes feature heavily in DevOps.
- Collaboration and Sharing: Employees might be dispersed around the world, but they still need to be able to work alongside each other in support of a DevOps culture. This collaboration requires that employees align their tools and resources.
- Unconscious Incompetence: Organizations in this stage don’t understand what DevOps is and therefore fail to grasp its business advantages. As such, none of the factors are present in this particular manifestation.
- Conscious Incompetence: Within 12 to 18 months of starting their DevOps journey, organizations usually seize on many of DevOps’ automation components to try to automate their processes. That being said, teams generally still perform much of this work within silos. There’s little to no collaboration and sharing of resources involved.
- Conscious Competence: Within four years of embarking on their DevOps voyage, organizations have successfully done all they want with automation. They then begin to focus on improving collaboration across all platforms and building a platform that can streamline the sharing of resources and tools between development and operation teams.
- Unconscious Competence: Organizations have created a robust DevOps culture that supports in-depth collaboration between teams with the help of a formalized structure and concrete processes for sharing tools and resources.
The Link to DevOps SecurityThe level of DevOps maturity directly relates to an organization’s competitive edge for releasing better software faster. As organizations become more DevOps-mature, this rate of digital innovation increases. That is, until these software deliveries crash into bolted-on security measures, protective afterthoughts which almost always delay the deployment chain. DevOps maturity thereby inevitably forces organizations to reconsider their security practices. This step involves moving security into the DevOps domain so that it becomes closer to the application itself. Typically, DevOps teams at mature organizations work with security personnel to build security into earlier parts of the software development lifecycle. They can even use containers to deliver security fixes on a continuous basis and limit the amount of resources which bad attackers can compromise with a single attack. Such collaboration is essential for realizing the security advantages of DevOps maturity. As Dark Reading notes in a blog post:
Security and DevOps teams can work together to protect the infrastructure. Security team members don't have to fully understand all the development tools — they can focus on sharing the security principles and policies to apply to the new dev tools. DevOps and security can better learn how to work together in new ways and speak each other's language if they implement a container security platform that integrates native DevOps tooling.Realizing this level of collaboration isn’t easy by default. Gurpreet Sachdeva explains in an article for the State of Security how organizations need to find a way to embed security within the DevOps lifecycle without hampering speed and agility. They also need to help reconcile the conflicting goals of development, which wants software released as soon as possible, and security, which wants all vulnerabilities addressed, in the name of effective communication.