The 5 phases of DevOps maturity
DevOps is cultural and technical
Software organizations conceived DevOps in reaction to the difficulties and limitations of running software development and IT operations in separate practices. Through DevOps, enterprises break down barriers between technology disciplines to unlock new levels in speed and quality for reliable releases to production.
Even the most advanced organizations continuously improve and redefine their approaches through the DevOps maturity lens. This guide will step you through the 5 key phases of DevOps maturity as they impact 7 different facets of your business: organization, delivery, automation, testing, security, monitoring, and operations.
Phase Zero: You haven’t started DevOps
Many pre-DevOps software organizations become so accustomed to the limitations of their technology workflow, they may not even be aware of better ways of working.
Organization
Development, operations, security, product owners, and users are all in separate teams with different incentives and priorities.
Delivery
The waterfall approach defines success by features and timelines rather than business outcomes.
Project-oriented release cycles focus on milestones over user or market changes.
Ideas take months or years to go into production.
Teams direct attention to fighting fires rather than adding value to the product.
Automation
Infrastructure is created and updated manually, a slow and error prone process.
Servers are treated like pets instead of cattle, needing lots of individualized attention.
Testing
Testers work manually, making quality assurance a bottleneck.
Security
Security engages only weeks before go-live of a new release, focusing on the minimum security scans needed to meet compliance.
Monitoring
Teams learn about outages from the user, when they’re already in crisis.
Operations
Operations receives releases “over the fence” without the opportunity to plan.
Is there such a thing as a DevOps department? Purists will say creating another department is the antithesis of the DevOps ethos. DevOps is everybody’s job. But don’t let the perfect be the enemy of the good. Some organizations need to stand up temporary working groups or task forces to steer DevOps practices through entrenched silos.
Phase 1: DevOps in pockets
Small teams are most effective for piloting new DevOps practices. Many enterprises start their DevOps journey by realizing attainable wins before they extend to the broader organization.
Organization
Dev and Ops start working together on select, small-scale strategic projects.
Delivery
Blended teams introduce agile practices, directing their energy at business and user value over project planning.
Automation
Automated deployments reduce the risk and stress of releases.
Testing
Testers introduce unit, integration, and end-to-end testing to bring quality assurance earlier into the process.
Security
Security still operates separately (for now).
Monitoring
Basic external site monitoring alerts the team of risks and interruptions as soon as they impact the user.
Operations
Ops team stays ready and aware of forthcoming releases from development.
Team reviews availability and performance alerts for improvement opportunities.
What is DevSecOps and how does it fit? DevSecOps represents a trend, especially with government IT teams, where cybersecurity responsibilities are formally built into the processes. Security has always been a part of the DevOps ethos to ship frequently ship high-quality, reliable, and secure software. But, DevSecOps helps emphasize the need to scan your own custom software, analyze the software dependencies in your supply chain, and build security from the inside out. This focus also helps agencies begin to better structure enterprise organizations and staff projects with the right security capabilities directly on the team.
Phase 2: Automation
Many find automated processes to be the most natural next step — and a foundational bedrock — for adopting DevOps practices.
Organization
Security staff join meetings well before deployments.
Delivery
Agile practices take deeper root across development, operations, design, and business groups.
Automation
Most infrastructure is automated so provisioning is repeatable and reliable, opening up possibilities for more frequent reliable deployments.
Testing
Security scans are integrated into testing protocols throughout the dev process, not just at deployment.
Security
Security gains a seat at the table for design, architecture, and Ops conversations.
Security staff support testing team as they integrate scans into regular processes.
Monitoring
No changes
Operations
Ops team incorporates new automation techniques into their practices.
DevOps, Lean, Agile, Scrum … These concepts are often mentioned together because they are rooted in a shared ethos. All these systems of thought suggest a shift away from measuring internal benchmarks and towards measuring success according to the customer’s experience.
Phase 3: Pipeline
A continuous integration pipeline capitalizes on investments in automation while starting to deliver tangible business benefits from DevOps culture.
Organization
Security staff become full-time members of the product team.
Delivery
Product-oriented thinking replaces the Project-oriented approach of older Waterfall methods.
Automation
Immutable infrastructure just replaces old servers rather than update them. Servers are treated like cattle, not pets.
Infrastructure and code updates deployed via pipelines.
Security updates are built into the product development workflow.
Testing
Performance and load testing make deployments ready for production scale.
Security
Dependency management identifies 3rd-party vulnerabilities before they cause damage.
Continuous security monitoring distributes security awareness across the team.
Monitoring
Continuous application monitoring actively tracks the overall health for early detection of problems and incident root cause analysis.
Operations
Developers consider operations in their docs, analytics, and standard operating procedure changes.
The web hosting maturity scale
How can organizations stay nimble while making sense of all the latest products, methodologies, and technologies?
Phase 4: Blended architecture
Breaking down silos start to deliver business results when development and operations no longer work in separate technical environments.
Organization
No change
Delivery
Agile practices mature into Lean practices for even more business-focused workflows.
Complexity and technical debt are managed as investments in the future.
Automation
Self-service environment automation invites engineers to deploy the infrastructure they need when they need it.
Testing
No change
Security
No change
Monitoring
No change
Operations
No change
Dueling incentives: Developers are historically rewarded for delivery fast, so they like to use the latest and greatest techniques. Operations staff are rewarded for a safe environment, so they prefer to establish stable baselines, and then change as little as possible. DevOps creates shared objectives in place of these competing interests.
Phase 5: Continuous deployment
At ICF, we call this DevOps nirvana. While you’re never done improving and learning your DevOps practice, working in a continuous deployment environment fulfills the promise of time and energy serving the business and user needs first.
Organization
Multi-disciplinary organizations replace traditional corporate and government structures.
Delivery
A culture of continuous improvement sustains momentum for ongoing advancement.
Experimentation drives new product direction and process improvements.
Ideas go to production in hours or days.
Automation
New code that passes through all pipelines and environments is released into production without human intervention.
Testing
Soak tests anticipate product performance in real world situations before deployment.
Security
All groups and roles share security responsibilities.
Monitoring
Observability allows teams to actively analyze and debug production applications as they monitor.
Operations
Developers rotate on support shifts to sustain their understanding of operational and user concerns.
